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Preface 



Three years ago my director, Dennis 
Miyoshi, came into my office and said, "I 
think we should write a textbook on secu- 
rity." Little did I know how long and 
complicated the path ahead would be. 
Actually, it was a good idea; I just wasn't 
convinced that there was a need. After a 
short period of time, it became apparent 
that he was right. 

In 1996, we formed the Southwest 
Surety Institute with Arizona State Uni- 
versity, New Mexico State University, the 
New Mexico Institute of Mining and Tech- 
nology, and Louisiana State University, 
with the goal of developing unique pro- 
grams in security education. We were 
asked by these universities to teach the 
first offering of an introductory course to 
security system design and analysis. The 
universities had agreed to use the method- 
ology developed at Sandia National Labo- 
ratories as the basis of their programs. 
Each university had a specific expertise in 
an area closely related to the discipline of 
security. The range of capability was quite 
diverse, including explosives research 
and development, shock physics, engi- 
neering technology, business, computer 
security, and criminal justice. Our job was 
to help the universities incorporate our 
structured methodology into their cur- 
ricula. After we agreed to help teach, I 
started looking for a textbook to supple- 
ment the material that we normally dis- 
tribute when we teach classes. To my 
dismay, there were no suitable books 
available. Thus, when I began teaching in 
the spring of 1997, I also started revising 
our existing course material to be more 
applicable to the private sector. 



Sandia developed the methodology pre- 
sented in this text over twenty-five years 
of research, development, and application 
in protecting nuclear assets at U.S. gov- 
ernment sites around the world. It is a 
structured approach that emphasizes the 
use of component performance measures 
to establish the effectiveness of physical 
protection systems. It applies science 
and engineering principles to meet sys- 
tem goals. Don't get me wrong — it isn't 
rocket science. I tell my students this 
all the time. What this book does is 
describe a problem-solving approach. It 
discusses defining and understanding the 
problem prior to designing the system, 
and it provides methods to evaluate the 
design before implementation. Although 
the process is specific to physical pro- 
tection in this text, it is also applicable 
to information systems. This book de- 
scribes the use of many of the protec- 
tion elements that exist to support a secu- 
rity system, but it primarily shows how 
these elements are integrated to make an 
effective system. The process culminates 
in a risk assessment that predicts how 
well the protection system performs and 
helps senior management quantify the 
remaining risk. 

It is critically important to consider 
legal issues, liability, and business goals 
in the design of a security system. At the 
same time, these elements are more the 
environment within which the protection 
system must perform than the actual 
protection system. As such, they become 
inputs to the system design. This book 
describes how, after understanding the 
environment and various constraints, 
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we can design and evaluate a physical 
protection system. The process itself 
incorporates aspects of criminal justice, 
business, and technology that have 
been described in other books, but puts 
them into a structured flow and uses com- 
ponent performance measures to predict 
overall protection system effectiveness. 

This is not a book about case law, inves- 
tigative techniques, contract or project 
management, or law enforcement. These 
pieces, while all necessary, are not 
sufficient to design and implement an 
effective protection system. It is the 
integration of these elements with tech- 
nology, people, and procedures to meet 
protection objectives that is the goal. 
There are many excellent sources of infor- 
mation on each of these topics and their 
application to hundreds of different sites 
or facilities. Many of the best sources are 
cited in the chapters that follow. The 
emphasis in this text is the process, not 
the many specific details that exist to 
help solve protection problems. At appro- 
priate places in the text, other areas that 
support the design and evaluation of a 
physical protection system are noted. 
I hope this establishes not only the impor- 
tance of these other areas, but also where 
they fit in the overall protection system. 
This text also does not differentiate by the 
type of facility. The process is the same, 
no matter what facility or enterprise is to 
be protected. I appreciate that each facil- 
ity has different assets and threats, as well 
as varying capabilities to protect assets. 
That is precisely why there needs to be 
an emphasis on and education about the 
process. What is most important is the 
journey, not the final destination. The spe- 
cific application is not as much the 
problem as understanding the goals and 



objectives of the protection system and 
applying limited resources to the protec- 
tion of the most important assets. This 
must be accomplished in a realistic and 
measurable way, so that the executives 
who manage corporations can be confi- 
dent that the security manager is reducing 
the risk to the facility. 

As with any work of this magnitude, 
there are a great many people to whom I 
owe a debt of gratitude. At Sandia they 
include Doug Adams, Carol Baxter, Ryan 
Bedoe, Jim Blankenship, Theresa Bourne, 
Donna Bruce, Tim Buckle, Greg Cone, 
Bonnie Floran, Gloria Hill, Liz Jaramillo, 
Steve Jordan, John Kane, Kay Kelly, 
Lyle Kruse, Tim Malone, Larry Miller, 
Dale Murray, Nick Nicholson, Sharon 
O'Connor, Chuck Rhykerd, Charles 
Ringler, Mark Snell, Mark Soo Hoo, Debra 
Spencer, Boris Starr, Basil Steele, Dave 
Swahlan, Joe Vigil, Ivan Waddoups, Anne 
Weimer, and Dennis Miyoshi. The expert 
information presented in this text belongs 
to them; any errors are strictly mine. This 
assertion, though traditional, is nonethe- 
less sincere. At Butterworth-Heinemann, 
Laurel DeWolf, Jennifer Packard, Maura 
Kelly, and Cate Barr patiently helped me 
put it all together. Others who helped 
include Dennis Giever, Dave Gilmore, 
Brad Rogers, and all my students in the 
university classes. I am grateful to the 
Southern Poverty Law Center for permis- 
sion to use the image that appears in 
Chapter 3, "Threat Definition." Finally, 
my special thanks to Doug Fuller, Bailey, 
and Paul Ebel. 

I hope you find this book useful and 
informative. 

Mary Lynn Garcia 
November, 2000 



The U.S. Government holds a nonexclusive copyright license in this work for govern- 
ment purposes. This book was authored by Sandia Corporation under Contract DE-AC04- 
94AL85000 with the U.S. Department of Energy. 



1 

Design and Evaluation of 
Physical Protection Systems 



A physical protection system (PPS) inte- 
grates people, procedures, and equipment 
for the protection of assets or facilities 
against theft, sabotage, or other malevo- 
lent human attacks. The design of an 
effective PPS requires a methodical 
approach in which the designer weighs 
the objectives of the PPS against available 
resources, and then evaluates the pro- 
posed design to determine how well it 
meets the objectives. Without this kind of 
careful assessment, the PPS might waste 
valuable resources on unnecessary pro- 
tection or, worse yet, fail to provide ade- 
quate protection at critical points of the 
facility. For example, it would probably be 
unwise to protect a facility's employee 
cafeteria with the same level of protection 
as the central computing area. Similarly, 
maximum security at a facility's main 
entrance would be wasted if entry were 
also possible through an unprotected cafe- 
teria loading dock. Each facility is unique, 
even if performing generally the same 
activities, so this systematic approach 
allows flexibility in the application of 
security tools to address local conditions. 
The process of designing and analyzing 
a PPS is described in the remainder of this 



chapter. The methodology presented here 
is the same one used by Sandia National 
Laboratories when designing a PPS for 
critical nuclear assets (Williams, 1978). 
This approach and supporting tools were 
developed and validated over the past 
twenty-five years through research funded 
by the DOE (Department of Energy) and 
development totaling over $200 million. 
While other industrial and governmental 
assets may not require the highest levels 
of security used at nuclear weapons 
sites, the approach is the same whether 
protecting a manufacturing facility, an oil 
refinery, or a retail store. The foundation 
of this approach is the design of an inte- 
grated performance-based system. Perfor- 
mance measures (i.e., validated numeric 
characteristics) for various system com- 
ponents, such as sensors, video, or re- 
sponse time, allow the use of models to 
predict system performance against the 
identified threat. This effectiveness mea- 
sure can then be used to provide the 
business rationale for investing in the 
system or upgrade, based on a measurable 
increase in system performance and an 
associated decrease in risk to the facility. 
Looking at system improvement com- 



Design and Evaluation of Physical Prote ction Systems 



pared to costs can then support a cost- 
benefit analysis. By following this process, 
the system designer will include elements 
of business, technology, and the criminal 
justice system into the most effective 
design within the constraints and budget 
of the facility. Before describing this 
process in more detail, however, it is first 
necessary to differentiate between safety 
and security. 



rity personnel should not be expected to 
shut down power or equipment. This task 
is better left to those familiar with the 
operation and shutdown of equipment, 
power, or production lines. Procedures 
describing the role of security personnel 
in these events should be developed, 
understood, and practiced in order to 
assure adequate levels of protection and 
safety. 



Safety versus Security 



Deterrence 



For the purposes of this book, safety is 
meant to represent the operation of sys- 
tems in abnormal environments, such 
as flood, fire, earthquake, electrical faults, 
or accidents. Security, on the other hand, 
refers to systems used to prevent or detect 
an attack by a malevolent human adver- 
sary. There are some overlaps between the 
two: for example, the response to a fire 
may be the same whether the fire is the 
result of an electrical short or a terrorist 
bomb. It is useful, however, to recognize 
that a fire has no powers of reasoning, 
while adversaries do. A fire burns as long 
as there is fuel and oxygen; if these ele- 
ments are removed, the fire goes out. An 
attack by a malevolent human adversary, 
on the other hand, requires that we rec- 
ognize the capability of the human adver- 
sary to adapt and thus eventually defeat 
the security system. 

In the event of a safety critical event, 
such as a fire, security personnel should 
have a defined role in assisting, without 
compromising the security readiness of a 
facility. In this regard, security personnel 
should not be overloaded with safety- 
related tasks, as this may increase expo- 
sure of the facility to a security event 
during an emergency condition, particu- 
larly if the adversary creates this event 
as a diversion or takes advantage of the 
opportunity. In addition, security person- 
nel may not possess the specific knowl- 
edge or training to respond to safety 
events. For example, in case of a fire, secu- 



Theft, sabotage, and other malevolent 
acts at a facility may be prevented in two 
ways — by deterring the adversary or by 
defeating the adversary. Deterrence occurs 
by implementing measures that are per- 
ceived by potential adversaries as too dif- 
ficult to defeat; it makes the facility an 
unattractive target, so the adversary aban- 
dons or never attempts an attack. Exam- 
ples of deterrents are the presence of 
security guards in parking lots, adequate 
lighting at night, posting of signs, and the 
use of barriers, such as bars on windows. 
These are features that are often imple- 
mented with no additional layers of 
protection in the event of an attack. 
Deterrence can be very helpful in dis- 
couraging attacks by adversaries; however, 
it is less useful against an adversary 
who chooses to attack anyway. 

It would be a mistake to assume that 
because an adversary has not challenged 
a system, the effectiveness of the system 
has been proven. The deterrence function 
of a PPS is difficult to measure, and 
reliance on successful deterrence can be 
risky; thus it is considered a secondary 
function and will not be discussed further 
in this text. The deterrent value of a true 
PPS, on the other hand, can be very high, 
while at the same time providing protec- 
tion of assets in the event of an attack. 
The purpose of this text is to describe 
a process that produces an effective 
PPS design, validates its performance, 
and relates the improvement in system 



Design and Evaluation of Physical Protection Systems 



effectiveness to the cost. Application of 
this process allows the design of a PPS 
that will protect assets during an actual 
attack, as well as provide additional ben- 
efits through deterrence. 

As more research is done on the mea- 
surable and long-term value of deterrents, 
these may be incorporated into protection 
system design. To date, however, there 
is no statistically valid information to 
support the effectiveness of deterrents. 
There are, however, studies that in- 
dicate that deterrence is not as effec- 
tive after implementation as is hoped 
(Sivarajasingam and Shepherd, 1999). 

Process Overview 

The design of an effective PPS includes 
the determination of the PPS objec- 
tives, the initial design or characterization 
of a PPS, the evaluation of the design, and, 
in many cases, a redesign or refinement 
of the system. To develop the objectives, 
the designer must begin by gathering 
information about facility operations and 
conditions, such as a comprehensive de- 
scription of the facility, operating states, 
and the physical protection require- 
ments. The designer then needs to define 
the threat. This involves considering 
factors about potential adversaries, such 
as class, capabilities, and range of tac- 
tics. Next, the designer should identify 
targets. Targets may be physical assets, 
electronic data, people or anything that 
could impact business operations. The 
designer now knows the objectives of 
the PPS, that is, what to protect against 
whom. The next step is to design the 
new system or characterize the existing 
system. If designing a new system, people, 
procedures, and equipment must be 
integrated to meet the objectives of the 
system. If the system already exists, it 
must be characterized to establish a base- 
line of performance. After the PPS is 
designed or characterized, it must be ana- 
lyzed and evaluated to ensure it meets the 



physical protection objectives. Evaluation 
must allow for features working together 
to assure protection rather than regard- 
ing each feature separately. Due to the 
complexity of protection systems, an 
evaluation usually requires modeling 
techniques. If any vulnerabilities are 
found, the initial system must be re- 
designed to correct the vulnerabilities 
and a reevaluation conducted. 



PPS Design and Evaluation 
Process — Objectives 

A graphical representation of the PPS 
methodology is shown in Figure 1.1. As 
stated above, the first step in the process 
is to determine the objectives of the pro- 
tection system. To formulate these objec- 
tives, the designer must (1) characterize 
(understand) the facility operations and 
conditions, (2) define the threat, and (3) 
identify the targets. 

The process starts with determining 
objectives, then designing a system to 
meet the objectives, and ends with an 
evaluation of how well the system per- 
forms compared to the objectives. 

Characterization of facility operations 
and conditions requires developing a 
thorough description of the facility itself 
(the location of the site boundary, build- 
ing location, building interior floor 
plans, access points). A description of 
the processes within the facility is also 
required, as well as identification of any 
existing physical protection features. This 
information can be obtained from several 
sources, including facility design blue- 
prints, process descriptions, safety analy- 
sis reports, and environmental impact 
statements. In addition to acquisition and 
review of such documentation, a tour of 
the site under consideration and inter- 
views with facility personnel are neces- 
sary. This provides an understanding of 
the physical protection requirements for 
the facility as well as an appreciation 
for the operational and safety constraints, 
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Figure 1.1 Design and Evaluation Process for Physical Protection Systems 



which must be considered. Each facility is 
unique, so the process should be followed 
each time a need is identified. Compro- 
mises must usually be made on all sides 
so that operation can continue in a safe 
and efficient environment while physical 
protection is maintained. Additional con- 
siderations also include an understanding 
of liability, and any legal or regulatory 
requirements that must be followed. 

Next, a threat definition for the facility 
must be made. Information must be col- 
lected to answer three questions about the 
adversary: 

1. What class of adversary is to be 
considered? 

2. What is the range of the adversary's 
tactics? 

3. Whatarethe adversary's capabilities? 

Adversaries can be separated into three 
classes — outsiders, insiders, and out- 
siders working in collusion with insiders. 



For each class of adversary, the full range 
of tactics (deceit, force, stealth, or any 
combination of these) should be consid- 
ered. Deceit is the attempted defeat of a 
security system by using false authoriza- 
tion and identification; force is the overt, 
forcible attempt to overcome a security 
system; and stealth is any attempt to 
defeat the detection system and enter the 
facility covertly. 

For any given facility there may be 
several threats, such as a criminal out- 
sider, a disgruntled employee, competi- 
tors, or some combination of the above, 
so the PPS must be designed to protect 
against all of these threats. Choosing the 
most likely threat, designing the system to 
meet this threat, and then testing to verify 
the system performance against the other 
threats will facilitate this process. 

Finally, target identification should be 
performed for the facility. Targets may 
include critical assets or information, 
people, or critical areas and processes. A 
thorough review of the facility and its 
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assets should be conducted. Such ques- 
tions as "What losses will be incurred in 
the event of sabotage of this equipment?" 
will help identify the assets or equipment 
that are most vulnerable or that create an 
unacceptable consequence. 

Given the information obtained through 
facility characterization, threat definition, 
and target identification, the designer can 
determine the protection objectives of the 
PPS. An example of a protection objective 
might be to interrupt a criminal adversary 
equipped with hand tools and a vehicle 
before finished CPUs (Central Processing 
Units or microprocessors) can be removed 
from the shipping dock. The process of 
determining objectives will be somewhat 
recursive. That is, definition of the 
threat will depend on target identifica- 
tion, and vice versa. This recursion 
should be expected and is indicative of 
the complex relationships among protec- 
tion system objectives. 



PPS Design and Evaluation 
Process — Design PPS 

The next step in the process, if designing 
a new PPS, is to determine how best to 
combine such elements as fences, barri- 
ers, sensors, procedures, communication 
devices, and security personnel into a PPS 
that can achieve the protection objectives. 
The resulting PPS design should meet 
these objectives within the operational, 
safety, legal, and economic constraints of 
the facility. The primary functions of a 
PPS are detection of an adversary, delay 
of that adversary, and response by secu- 
rity personnel (guard force). 

Certain guidelines should be observed 
during the PPS design. A PPS system per- 
forms better if detection is as far from the 
target as possible and delays are near the 
target. In addition, there is close associa- 
tion between detection (exterior or inte- 
rior) and assessment. The designer should 
be aware that detection without assess- 
ment is not detection. Another close 



association is the relationship between 
response and response force communica- 
tions. A response force cannot respond 
unless it receives a communication call 
for a response. These and many other 
particular features of PPS components 
help to ensure that the designer takes 
advantage of the strengths of each piece 
of equipment and uses equipment in com- 
binations that complement each other and 
protect any weaknesses. 



PPS Design and Evaluation 
Process — Evaluate PPS 

Analysis and evaluation of the PPS design 
begin with a review and thorough under- 
standing of the protection objectives the 
designed system must meet. This can be 
done simply by checking for required fea- 
tures of a PPS, such as intrusion detec- 
tion, entry control, access delay, response 
communications, and a response force. 
However, a PPS design based on re- 
quired features cannot be expected to lead 
to a high-performance system unless 
those features, when used together, are 
sufficient to assure adequate levels of 
protection. More sophisticated analysis 
and evaluation techniques can be used 
to estimate the minimum performance 
levels achieved by a PPS. These tech- 
niques include qualitative and quantita- 
tive analysis. Systems that are designed to 
protect high-value critical assets generally 
require a quantitative analysis. Systems 
protecting lower-value assets may be 
analyzed using less rigorous qualitative 
techniques. In order to complete a quan- 
titative analysis, performance data must 
be available for the system components. 

An existing PPS at an operational facil- 
ity cannot normally be fully tested as a 
system. This sort of test would be highly 
disruptive to the operation of the facility 
and could impact production schedules, 
as well as security effectiveness (i.e., 
create a vulnerability). Because direct 
system tests are not practical, evaluation 
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techniques are based on performance 
tests of component subsystems. Compo- 
nent performance estimates are combined 
into system performance estimates by 
the application of system modeling 
techniques. 

The end result of this phase of the 
design and analysis process is a system 
vulnerability assessment. Analysis of the 
PPS design will either find that the design 
effectively achieved the protection objec- 
tives or it will identify weaknesses. If the 
protection objectives are achieved, then 
the design and analysis process is 
completed. However, the PPS should be 
analyzed periodically to ensure that the 
original protection objectives remain 
valid and that the protection system 
continues to meet them. 

If the PPS is found to be ineffective, vul- 
nerabilities in the system can be identi- 
fied. The next step in the design and 
analysis cycle is to redesign or upgrade 
the initial protection system design to 
correct the noted vulnerabilities. It is 
possible that the PPS objectives also 
need to be reevaluated. An analysis of 
the redesigned system is performed. This 
cycle continues until the results indicate 
that the PPS meets the protection 
objectives. 

Physical Protection System Design 

A system may be defined as an integrated 
collection of components or elements 
designed to achieve an objective accord- 
ing to a plan. The designer of any system 
must have the system's ultimate objective 
in mind. The ultimate objective of a 
PPS is to prevent the accomplishment of 
malevolent overt or covert actions. Typ- 
ical objectives are to prevent sabotage 
of critical equipment, theft of assets or 
information from within the facility, and 
protection of people (executive protec- 
tion or workplace violence). A PPS must 
accomplish its objectives by either deter- 



rence or a combination of detection, 
delay, and response. 

The PPS functions of detection and 
delay can be accomplished by the use of 
equipment and guards. Facility guards 
usually handle response. There is always 
a balance between the use of equipment 
and the use of guards. In different con- 
ditions and applications, one is often 
the preferable choice. As technology 
improves, the mix of equipment and 
guards will change and increase system 
effectiveness. The key to a successful pro- 
tection system is the integration of people, 
procedures, and equipment into a sys- 
tem that protects assets from malevolent 
adversaries. 

Detection, delay, and response are all 
required functions of an effective PPS. 
These functions must be performed in 
this order and within a length of time 
that is less than the time required for 
the adversary to complete their task. 
A well-designed system provides pro- 
tection-in-depth, minimizes the con- 
sequence of component failures, and 
exhibits balanced protection. In addition, 
a design process based on performance 
criteria rather than feature criteria will 
select elements and procedures according 
to the contribution they make to overall 
system performance. Performance criteria 
are also measurable, so they aid in the 
analysis of the designed system. These 
principles will be discussed in more 
detail in Chapter 5, "Physical Protection 
System Design." 

PPS Functions 

The purpose of a PPS is to prevent an 
adversary from successful completion of a 
malevolent action against a facility. There 
are several functions that the PPS must 
perform. The primary PPS functions are 
detection, delay, and response. It is essen- 
tial to consider the system functions in 
detail, since a thorough understanding of 
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the definitions of these functions and 
the measure of effectiveness of each is 
required to evaluate the system. It is 
important to note that detection must be 
accomplished for delay to be effective. 
Remember that the system goal is to 
protect assets from a malevolent adver- 
sary. For a system to be effective at this 
objective there must be awareness that 
there is an attack (detection) and slowing 
of adversary progress to the targets 
(delay), thus allowing the response force 
enough time to interrupt or stop the 
adversary (response). 



Detection 

Detection is the discovery of an adversary 
action. It includes sensing of covert or 
overt actions. The measures of effective- 
ness for the detection function are the 
probability of sensing adversary action 
and the time required for reporting and 
assessing the alarm. The probability of 
detection for a particular sensor captures 
both of these measures. Included in the 
detection function of physical protection 
is entry control. Entry control refers to 
allowing entry to authorized personnel 
and detecting the attempted entry of 
unauthorized personnel and material. The 
measures of effectiveness of entry control 
are throughput, false acceptance rate, and 
false rejection rate. Throughput is defined 
as the number of authorized personnel 
allowed access per unit time, assuming 
that all personnel who attempt entry are 
authorized for entrance. False acceptance 
is the rate at which false identities or cre- 
dentials are allowed entry, while the false 
rejection rate is the frequency of denying 
access to authorized personnel. 

The response force can also accomplish 
detection. Guards at fixed posts or on 
patrol may serve a vital role in sensing an 
intrusion. However, this decision must be 
carefully considered. Once an alarm is 
initiated and reported, assessment begins. 



An effective assessment system provides 
two types of information associated with 
detection. This information includes 
whether the alarm is a valid alarm or a 
nuisance alarm, and details about the 
cause of the alarm — what, who, where, 
and how many. 

Delay 

Delay is the second function of a PPS. 
It is the slowing down of adversary 
progress. Delay can be accomplished by 
personnel, barriers, locks, and activated 
delays. Response force personnel can be 
considered elements of delay if they are in 
fixed and well-protected positions. The 
measure of delay effectiveness is the time 
required by the adversary (after detection) 
to bypass each delay element. Although 
the adversary may be delayed prior to 
detection, this delay is of no value to the 
effectiveness of the PPS, because it does 
not provide additional time to respond to 
the adversary. Delay before detection is 
primarily a deterrent. 

Response 

The response function consists of the 
actions taken by the response force to 
prevent adversary success. Response, as 
it is used here, consists of interruption. 
Interruption is defined as a sufficient 
number of response force personnel arriv- 
ing at the appropriate location to stop the 
adversary's progress. It includes the com- 
munication to the response force of accu- 
rate information about adversary actions 
and the deployment of the response force. 
The measure of response effectiveness is 
the time between receipt of a communi- 
cation of adversary action and the inter- 
ruption of the adversary action. 

Deployment describes the actions of the 
response force from the time communica- 
tion is received until the force is in 
position to interrupt the adversary. The 



Design and Evaluation of Physical Protection Systems 



effectiveness measure of this function 
is the probability of deployment to the 
adversary location and the time required 
to deploy the response force. 

Design Goals 

The effectiveness of the PPS functions 
of detection, delay, and response and 
their relationship has already been dis- 
cussed. In addition, all of the hard- 
ware elements of the system must be 
installed, maintained, and operated prop- 
erly. The procedures of the PPS must be 
compatible with facility operations and 
procedures. Security, safety, and opera- 
tional objectives must be accomplished at 
all times. A PPS that has been well engi- 
neered will be based on sound principles, 
including protection-in-depth, minimum 
consequence of component failure, and 
balanced protection. Each of these princi- 
ples will be discussed in more detail in 
Chapter 5, "Physical Protection System 
Design." 

Design Criteria 

Any design process must have criteria 
against which elements of the design will 
be evaluated. A design process based on 
performance criteria will select elements 
and procedures according to the contri- 
bution they make to overall system per- 
formance. The effectiveness measure will 
be overall system performance. 

A feature criteria approach selects ele- 
ments or procedures to satisfy require- 
ments that certain items are present. The 
effectiveness measure is the presence of 
those features. The use of a feature crite- 
ria approach in regulations or require- 
ments that apply to PPSs should generally 
be avoided or handled with extreme care. 
Unless such care is exercised, the feature 
criteria approach can lead to the use 
of a checklist method to determine sys- 
tem adequacy based on the presence or 



absence of required features. This is 
clearly not desirable, since overall system 
performance is of interest, rather than the 
mere presence or absence of system 
features or components. For example, a 
performance criterion for a perimeter 
detection system would be that the system 
be able to detect a running intruder using 
any attack method. A feature criterion 
for the same detection system might be 
that the system includes two different 
sensor types. 

Performance Measures 

The conceptual design techniques pre- 
sented in this text support a performance- 
based approach to meeting the PPS 
objectives. Much of the component tech- 
nology material will, however, be applic- 
able for either performance criteria or 
feature criteria design methods. The per- 
formance measures for a PPS function 
include probability of detection; time for 
alarm communication and assessment; 
frequency of nuisance alarms; time to 
defeat obstacles; probability of and time 
for accurate communication to response 
force; probability of response force deploy- 
ment to adversary location; and time to 
deploy. 



Analysis 

A PPS is a complex configuration of de- 
tection, delay, and response elements. 
Computerized techniques are available 
to analyze a PPS and evaluate its 
effectiveness (Bennett, 1977; Chapman 
and Harlan, 1985). Such techniques 
identify system deficiencies, evaluate 
improvements, and perform cost-versus- 
effectiveness comparisons. These tech- 
niques are appropriate for analyzing 
PPSs at individual sites. Also, the tech- 
niques can be used for evaluating either 
an existing protection system or a pro- 
posed system design. 
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The goal of an adversary is to complete 
a path to a target with the least likelihood 
of being stopped by the PPS. To achieve 
this goal, the adversary may attempt to 
minimize the time required to complete 
the path. This strategy involves penetrat- 
ing barriers with little regard to the prob- 
ability of being detected. The adversary is 
successful if the path is completed before 
guards can respond. Alternatively, the 
adversary may attempt to minimize detec- 
tion with little regard to the time required. 
In this case, the adversary is successful 
if the path is completed without being 
detected. 

The measure of effectiveness for inter- 
rupting an adversary used in this text is 
timely detection. Timely detection refers 
to the cumulative probability of detecting 
the adversary at a point where there is 
enough time remaining on the adversary 
path for the response force to interrupt 
the adversary. The delay elements along 
the path determine the point by which the 
adversary must be detected. That point 
is where the minimum delay along the 
remaining portion of the path just exceeds 
the guard response time. The probability 
of interruption (P,) is the cumulative prob- 
ability of detection from the start of the 
path up to the point determined by the 
time remaining for the guards to respond. 
This value of P T serves as a measure of the 
PPS effectiveness. 



Physical Protection System Design 
and the Relationship to Risk 

The design and analysis of a PPS include 
the determination of the PPS objectives, 
characterizing the design of the PPS, the 
evaluation of the design, and, possibly, a 
redesign or refinement of the system. The 
process must begin by gathering informa- 
tion about the facility, defining the threat, 
and then identifying targets. Determina- 
tion of whether or not assets are attractive 
targets is based mainly on the ease or dif- 
ficulty of acquisition and the value of the 



asset. The next step is to characterize the 
design of the PPS by defining the detec- 
tion, delay, and response elements. The 
PPS is then analyzed and evaluated to 
ensure it meets the physical protection 
objectives. Evaluation must allow for fea- 
tures working together to assure protec- 
tion rather than regarding each feature 
separately. 

The basic premise of the methodol- 
ogy described in this text is that the 
design and analysis of physical protection 
must be accomplished as an integrated 
system. In this way, all components of 
detection, delay, and response can be 
properly weighted according to their 
contribution to the PPS as a whole. At 
a higher level, the facility owner must 
balance the effectiveness of the PPS 
against available resources, and then 
evaluate the proposed design. Without 
a methodical, defined, analytical assess- 
ment, the PPS might waste valuable 
resources on unnecessary protection or, 
worse yet, fail to provide adequate pro- 
tection at critical points of the facility. 
Due to the complexity of protection 
systems, an evaluation usually requires 
computer modeling techniques. If any 
vulnerabilities are found, the initial 
system must be redesigned to correct the 
vulnerabilities and a reevaluation con- 
ducted. Then the system's overall risk 
should be calculated. This risk is normal- 
ized to the consequence severity if the 
adversary could attain the target. This 
means that the consequence of the loss of 
an asset is represented numerically by 
a value between zero and one, where the 
highest consequence of loss is represented 
by one and other lower consequence 
losses are assigned correspondingly lower 
values. This method ranks the conse- 
quence of loss of assets from unacceptably 
high down to very low or no consequence. 
This is explained more in Chapter 4, 
"Target Identification." The facility man- 
ager is then able to make a judgment as 
to the amount of risk that remains and if 
this is acceptable. 
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The risk equation used is: 

R = P A *[1-(P,)]*C 

Each term in the equation will be elabo- 
rated more fully throughout the text. At 
this time, it is sufficient to note that the 
measure of PPS effectiveness, Pj, can be 
related to the probability of attack (P A ) 
and the consequence associated with the 
loss (C). 

Once the risk value is determined, the 
security manager can justify the expen- 
diture of funds based on a scientific, 
measurable, and prioritized analysis. This 
information can be presented to executive 
management of the corporation or facility 
to demonstrate how the security risk is 
being mitigated and how much risk expo- 
sure remains. The analysis can then form 
the basis for a discussion on how much 
security risk can be tolerated or how 
much to increase or decrease the budget 
based on risk. This analysis can also serve 
to demonstrate to any regulatory agencies 
that a careful review of the security of the 
facility has been performed and that rea- 
sonable measures are in place to protect 
people and assets. The analysis will allow 
the facility to state the assumptions that 
were made (threat, targets, risk level), 
show the system design, and provide 
detailed information to support system 
effectiveness measures. 

This process only describes the evalu- 
ated risk of the security system and its 
effectiveness. It should be noted that there 
are multiple risk areas for a facility or cor- 
poration, of which security is only one 
part. Other areas of risk that need to be 
considered within the business enterprise 
include financial risk management, liabil- 
ity risk financing, property/net income 
financing, employee benefits, environ- 
mental health and safety, and property 
engineering (Zuckerman, 1998). It should 
be clear that the security program is one 
that contributes to the bottom line of the 
corporation, by protecting assets from 
malevolent human threats. The security 



manager should be capable of allocating 
available resources to best protect corpo- 
rate assets and of adjusting resources as 
required in the face of changing threats. 
This is the role of the security manager or 
director in the corporate structure. 

Summary 

This chapter introduces the use of a sys- 
tematic and measurable approach to the 
implementation of a PPS. It emphasizes 
the concept of detection, followed by delay 
and response, and presents a brief descrip- 
tion of the relationship of these functions. 
Deterrence of an adversary is compared 
to defeat of an adversary, along with the 
caution not to rely on deterrence to pro- 
tect assets. Specific performance meas- 
ures of various components of a PPS are 
described, along with how these measures 
are combined to support a cost/benefit 
analysis. The process stresses the use of 
integrated systems combining people, 
procedures, and equipment to meet the 
protection objectives. In support of this 
concept, the difference between safety 
and security is described to emphasize the 
difference between accidents or natural 
disasters and malevolent human attack. 

Additional chapters in this text will 
provide the specific details incorporated 
by this approach. The concepts presented 
here are somewhat unique in the secu- 
rity industry as a whole, but have been 
demonstrated to be effective in protecting 
critical nuclear assets for the past twenty- 
five years. Although a particular facility 
may not require the same level of protec- 
tion, or have the same unacceptably high 
consequence of loss — the loss of a nuclear 
weapon or material could result in the 
death of thousands of people — the pro- 
cess described in these pages can still be 
applied to protect targets against the 
appropriate threats. Ultimately, this leads 
to an effective system design that can be 
used to explain why certain security com- 
ponents were used, how they contribute 
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to the system effectiveness, and how this 
system mitigates total risk to the facility 
or corporation. 



Annual American Society of Industrial 
Security Education Symposium, Au- 
gust 13-15, 1998, New York, NY. 



References 



Bennett, H.A. The EASI approach to phys- 
ical security evaluation. SAND Report 
760500 1977;l-35.* 

Chapman, L.D., and Harlan, C.P. EASI 
estimate of adversary sequence inter- 
ruption on an IBM PC. SAND Report 
851105 1985;l-63.* 

Williams, J.D. "DOE/SS Handbooks: A 
means of disseminating physical secu- 
rity equipment information." Journal of 
the Institute of Nuclear Materials Man- 
agement 1978;7(l):65-75. 

Sivarajasingam, V., and Shepherd, J.P. 
"Effect of closed circuit television on 
urban violence." Journal of Ace Emer 
Medicine 1999;16(4):255-257. 

Zuckerman, M.M. "Moving towards a 
holistic approach to risk manage- 
ment education: Teaching business se- 
curity management." Presented at 2nd 



Questions 



1. Explain the difference between the 
goals of safety systems and opera- 
tions and security systems and 
operations. 

2. Discuss the strengths and weak- 
nesses of deterrence as the goal of a 
security system. 

3. What are the functions of a good 
security system? How are these 
functions applied? Why? 



* SAND Reports are available from: National Tech- 
nical Information Service, U.S. Department of Com- 
merce, 5285 Port Royal Road, Springfield, VA 22161. 
Phone: 800-553-NTIS (6847) or 703-605-6000; Fax: 
703-321-8547; TDD: 703-487-4639; http://www.ntis. 
gov/ordering.htm or U.S. Government Printing 
Office, Superintendent of Documents, Federal 
Depository Libraries Program, Washington, DC 
20402. Phone: 202-512-1530 or 888-293-6498; Fax: 
202-512-1262; E-mail: gpoaccess@gpo.gov; http:// 
www.access.gpo.gov. 
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The first step in designing a new PPS, or 
upgrading an existing system, is to char- 
acterize the facility to be protected. Before 
any decisions can be made concerning 
the level of protection needed, an under- 
standing of what is being protected and 
the surrounding environment is essential. 
Too often this crucial step is overlooked 
and security systems are designed that 
either overprotect a nonessential compo- 
nent or fail to adequately protect a vital 
portion of the facility. The cost of an 
overdesigned system can be enormous, 
and the possible results of inadequate 
protection can be disastrous. Thus, it 
is absolutely essential that a facility be 
understood fully in terms of constraints, 
expected performance, operations, and 
the circumstances in which the facility 
exists. 

When characterizing a facility, informa- 
tion about as many different aspects of the 
facility as possible must be obtained and 
reviewed. While this may appear to be 
an overwhelming task at first, there are 
several areas of special interest that can 
serve as the basis for this data collection 
effort. Major areas of investigation for 
facility characterization include: 



• Physical conditions 

• Facility operations 

• Facility policies and procedures 

• Regulatory requirements 

• Legal issues 

• Safety considerations 

• Corporate goals and objectives 

As data is collected, other related areas 
of interest may emerge. The process of 
characterizing a facility is the most sub- 
jective and least constrained aspect of 
designing a PPS. The process may start 
out very structured, but eventually may 
uncover information that can be surpris- 
ing and lead to additional unanticipated 
areas. During interviews conducted at a 
site, it is not uncommon to reveal aspects 
of a facility's operation or policies that are 
unknown to some subsets of employees. 
The reaction to this new information 
ranges from mild interest to total shock. 
Interviews conducted at one entertain- 
ment complex, across a vertical slice of 
personnel levels, revealed that when 
power was lost at the facility the policy 
was to give guests complimentary one-day 
admission tickets as they left the park. 
This came as something of a surprise to 
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some of the managers observing the inter- 
view! This anecdote also emphasizes the 
value of personal interviews of people 
around the facility, in addition to the 
documentation reviews, tours, and brief- 
ings that are normally used to collect 
information. 

Physical Conditions 

Perhaps the easiest area to characterize, 
physical characterization includes identi- 
fying the site boundary, the number and 
locations of buildings in the complex, 
room locations within buildings, access 
points, existing physical protection fea- 
tures, and all infrastructure details. This 
information is normally available in blue- 
prints and drawings of the facility. Physi- 
cal infrastructure that should be reviewed 
includes heating, ventilation, and air con- 
ditioning systems; communication paths 
and type (fiber-optic, telephone, computer 
networks, etc); construction materials of 
walls and ceilings; power distribution 
system; any unique environmentally 
controlled areas of the facility; locations 
of any hazardous materials; and exterior 
areas. Physical aspects of a site also 
include an understanding of the topog- 
raphy, vegetation, wildlife, background 
noise (such as airports, rail yards, major 
highways, or electromagnetic interfer- 
ence), climate and weather, and soil and 
pavement. This information can be used 
to predict adversary paths into a facility, 
establish target locations, and identify 
potential sources of nuisance alarms for 
protection equipment. 

Existing physical protection features 
include fences, sensors, cameras, access 
control systems, barriers, and response 
force availability. It will be important to 
know whether a facility has an immedi- 
ate, on-site guard force (contract or pro- 
prietary) and the capability of this force, 
or if the facility will depend on other off- 
site response forces, such as local law 
enforcement. This information will deter- 



mine, to a large extent, how effective the 
final PPS will be. 

Several sources of checklists exist to 
help conduct the physical survey of a 
site (Barnard, 1988; Burstein, 1994; 
Fennelly, 1996). While these lists can be 
useful, excessive dependence on them 
is not recommended. No single checklist 
can be written that will cover all the per- 
tinent questions for all different types 
of facilities or can predict what addi- 
tional unique sources of information 
should be utilized. Existing survey tools, 
however, can form the basis for a check- 
list at a specific facility, and can be 
modified to reflect the special circum- 
stances of the facility. 

Facility Operations 

Another major area for investigation is 
facility operations. This will include such 
things as major products of the facility, 
processes that support these products, 
operating conditions (working hours, off- 
hours, emergency operations), and the 
types and numbers of employees. A large 
part of this stage of data collection is the 
review of the procedures that are used to 
accomplish the mission of the facility. 
This mission is related to the products 
made at the facility and can include man- 
ufactured parts, research data, retail sales, 
or other products. It should be apparent 
that any security system should not have 
an overly restrictive effect on the work of 
the facility. 

Operational review of the facility 
should also include an evaluation of the 
supporting functions available at the site. 
This includes procurement procedures, 
computing resources and distribution, 
maintenance activities, asset tracking, 
operational involvement and location 
of senior executives, workflow, shift 
changes, employee benefits, shipping and 
receiving, accounting functions, and any 
other supporting functions. This infor- 
mation will establish constraints when 
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implementing security technology or pro- 
cedures, and will help in the identifica- 
tion of facility vulnerabilities later in the 
process. 

Operational details can reveal impor- 
tant transition periods at a facility. For 
example, at a shift change many employ- 
ees may be entering and exiting the facil- 
ity. This can be an important input into 
the design of any access controls for the 
facility or parking areas. The system must 
be designed to accommodate this high 
throughput of personnel, even though it 
may only happen twice a day for a total of 
sixty minutes. Knowledge of the work- 
loads and schedule at the shipping and 
receiving dock will help when designing 
an asset tracking system or implementing 
controls over the movement of raw mate- 
rials or product into and out of a facility. 
This information will establish the opera- 
tional needs to be accommodated by any 
security upgrades. Vehicle activity into 
and out of a facility, as well as within the 
facility (if it is a large industrial complex), 
will also provide a basis for vulnerability 
assessment and establish operational con- 
straints that must be considered as part of 
the security system design. 

In summary, operational issues need to 
be understood in order to deign a system 
that is effective in protecting targets, 
while not having an undue effect on the 
work of the facility. This impact will 
be part of any trade-off analysis that is 
performed once a PPS design has been 
proposed. 

Facility Policies and Procedures 

One of the most critical areas for study at 
a facility includes an understanding of the 
written and unwritten policies and pro- 
cedures used at a site. Although many 
companies maintain well-documented 
collections of this information, it is not 
uncommon to find that employees use 
other, undocumented procedures to do 
their work. This lack of alignment can at 



times cause serious discrepancies in the 
way things are expected to be done and 
the way they are, in fact, accomplished. 
These discrepancies may only be minor, 
but occasionally cause major risk and 
expose large liabilities for the corporation. 
Due to the casual nature of unwritten poli- 
cies and procedures, they can be hard to 
uncover. This is why it is very useful to 
spend some time at a facility observing 
how things are done. One way to do this 
is through guided tours of the facil- 
ity accompanied by knowledgeable or 
responsible personnel, but it can also be 
revealing to spend time independently 
visiting all of the areas of the facility, 
within safety limits, and watching the 
general ebb and flow of work. Though this 
sort of unrestricted access can be difficult 
to obtain at times, it should be presented 
in the context of trying to help mitigate 
risk and reduce liability, not as a license 
to criticize. It is even possible that the 
unwritten procedures are more effective 
than the official versions, so their discov- 
ery and use could lead to very positive 
change. One way of reducing the implicit 
criticism that may be felt by management 
during this process is through the use 
of a nondisclosure agreement, whereby 
security consultants agree not to divulge 
any of the information they acquire 
without express permission from the 
facility. This will be less of a problem if 
the security system designer is a direct 
employee of the facility. 

Corporate policies should exist that 
document to all employees their right to 
privacy or corresponding work locations 
where they should have no expectation of 
privacy; the corporate policy on bringing 
drugs, alcohol, or weapons onto corporate 
premises; the use of force by site guards; 
and other notifications to employees of 
corporate expectations. Corporate proce- 
dures should then reinforce the policies 
by detailing what to do, when they 
apply, who is responsible, and through 
appropriate training for employees and 
contractors. 
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Training on the correct interpretation 
and application of corporate procedures 
must be provided at the facility. If there is 
a corporate expectation that everyone 
receive safety training once a year, it is 
incumbent on the organization to com- 
municate this openly to the employee and 
then to provide access to training. A lack 
of alignment between corporate require- 
ments and training in how to meet them 
can reduce employee morale and pro- 
ductivity, and increase the chances for a 
safety or security incident. In a like 
manner, if employees are expected to 
maintain certain security levels, but have 
no training on what this means on a day- 
to-day basis, there can be disappointment 
on all sides. Corporate training should be 
available to solidify the expectations for 
employee behavior and show that man- 
agement is fully committed to the policy. 
If management is not committed, the 
policy should be revised or removed. 
Employee training is a major part of the 
implementation of any corporate system, 
but especially for security, because 
employees can be one of the best sources 
of prevention and detection. 

The presence or absence of well- 
documented, consistently applied and 
trained policies and procedures can be an 
indication of the corporate culture at a 
facility. A culture that is accustomed to 
clear expectations and the support to meet 
those expectations will be better able to 
accommodate the discipline necessary to 
support an effective security system. If the 
corporate culture is one that is less disci- 
plined or more autonomous, a security 
system may not be embraced as willingly 
by the employees, which can be a serious 
impediment to the success of the system. 
This point will be further discussed later 
in this chapter, under "Corporate Goals 
and Objectives." 

Regulatory Requirements 

All facilities, no matter what their product 
or business, are responsible to some regu- 



latory authority. This may be the fire 
department; safety and health regulators; 
federal government agencies includ- 
ing the Departments of Labor, Energy, 
Defense, or Commerce; or any of a number 
of special regulatory agencies, such as the 
Nuclear Regulatory Commission or the 
local Corporation Commission. In addi- 
tion, every facility must meet certain 
standards in their work practices. These 
may be standards imposed by profes- 
sional organizations, such as Certified 
Public Accountant, or they may be best 
practiced within an industry. Many facil- 
ities utilize a variety of standards ap- 
proved by Underwriters Laboratories 
(UL, 2000). All construction must meet a 
variety of state and local building codes. 
Regardless of the formality of the regula- 
tion, it is important to understand the 
nature of all the regulations a facility may 
be expected or required to meet. 

For example, a small bookkeeping office 
may only have to meet minimal state 
and local fire codes, while a major petro- 
chemical producer will be expected to 
conform to additional state and local reg- 
ulations. Federal agencies such as the U.S. 
Occupational Safety and Health Adminis- 
tration (OSHA, 1998), the Department 
of Labor, the Environmental Protection 
Agency (EPA, 1999), and perhaps the 
National Labor Relations Board may 
also regulate the petrochemical producer. 
These requirements must be considered 
as a security system is designed. Obvi- 
ously, any security system that is imple- 
mented cannot put the company at risk of 
violating any regulations. These regula- 
tions then become an important supple- 
ment to the design and implementation of 
the security system. Safety-related aspects 
of these regulations are discussed in more 
detail in the next section. 



Safety Considerations 

As previously discussed in Chapter 1, 
"Design and Evaluation of Physical Pro- 
tection Systems," safety and security do 
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not have the same goal, although they are 
complementary functions. Consider the 
desired behaviors of a group of employees 
during a fire at a facility. The facility 
safety representative will say: stop what 
you are doing right now, leave the area or 
building in a calm and orderly manner, 
and go to a certain designated location 
and wait for more information. However, 
the facility security manager will say: stop 
what you are doing, secure the critical 
information or asset you are using, then 
leave the building. This creates the classic 
conflict between safety and security — 
safety people want evacuation as fast as 
possible, and security people want to be 
sure that no asset is stolen or left unpro- 
tected during the fire (which may only be 
a diversion). This conflict, though diffi- 
cult, must be resolved by the two parties 
working jointly to meet both their 
individual functional objectives and the 
bigger objectives of the corporation. 

While no security manager would want 
to put a person in physical danger to 
protect an asset, it is prudent to design 
technology systems and procedures to 
meet all needs. One example of this is the 
use of a short (10-15 second) time-delay 
on fire exits from critical areas. This can 
allow safety or security personnel time to 
ascertain that there really is a fire, or to 
broadcast instructions to personnel in the 
facility. Some fire systems now include an 
override feature that will allow a safety 
officer to continually reset the delay on 
a door, when they are certain there is 
no imminent danger (i.e., a false alarm). 
Some facilities dispatch a security officer 
to the critical location to guard the asset 
until the safety event ends or it is no 
longer safe to be in the area. Either way, it 
is important to incorporate this kind of 
thinking into the facility security system. 

A different example of the conflicts that 
can arise from safety and security systems 
is demonstrated by an incident at a major 
power-producing plant. A fire started in a 
limited access room in the plant and some 
people were hurt. In response to the fire, 
the automatic sprinklers were activated. 



The water shorted out the electric door 
locks on the room entrances, which pre- 
vented the immediate entry of medical 
personnel into the area. This is a good 
example of how safety and security 
systems must be designed to work to- 
gether under all conditions. 

It should be clear that an important 
voice in the design of an effective security 
system will be the facility or operational 
safety officer. Many companies base their 
safety systems on the standards published 
by Underwriters Laboratories (UL, 2000). 
Safety and security personnel must work 
together to design systems that will be 
effective in normal (daily operations), 
abnormal (e.g., a fire), and malevolent 
conditions (e.g., an attack on the facility 
by a human adversary). Conflicts between 
the two should be resolved by sound and 
integrated solutions; if this fails, the deci- 
sion should be made based on some rea- 
sonable criteria determined in advance by 
the organization. This may include the 
consequence of the loss of the asset, the 
increased liability to the company for 
injury or death, or the trade-off between 
the two. 



Legal Issues 

Perhaps the most visible and complex 
aspect of facility characterization is a 
thorough review of the legal issues that 
should be considered when designing and 
implementing a security system. Legal 
issues cover liability, privacy, access for 
the disabled, labor relations, employment 
practices, proper training for guards, the 
failure to protect, and excessive use of 
force by guards, to list only a few. A good 
understanding of the criminal justice 
system will be a very useful component in 
the design and implementation of a PPS. 
It would be nearly impossible to give a 
complete overview of all the legal issues 
that a facility (or corporation) confronts 
every day, without the added burden that 
poorly designed or implemented security 
systems add. For this reason, a brief dis- 
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cussion of only some of the major consid- 
erations that fall under legal issues will 
be presented. Each facility will need to 
make its own assessment of which legal 
issues are concerns and what actions will 
be taken based on this information. It 
should be emphasized that an organiza- 
tion should not choose to ignore security 
issues just because the legal complexities 
seem overwhelming. This very act could 
put the enterprise at risk for some liabil- 
ity, by not acting to prevent crimes that 
have occurred on the premises in the past 
(Foreseeable Risk Analysis Center, 2000). 
An excellent example of this is in the 
lodging industry. Case law is full of 
examples where hotels, after a rape, 
robbery, or assault occurs on the premises, 
are expected to implement measures to 
protect guests from similar attacks. When 
they do not implement these measures, 
the penalty is much more severe at the 
next occurrence (Foreseeable Risk Analy- 
sis Center, 2000). It is strongly suggested 
that an attorney be retained to consult 
with the facility to resolve these issues. 

Security Liability 

Within the context of liability incurred 
as a result of security system implemen- 
tation, most businesses are sued for 
deficient proactive security services and 
practices (failure to provide reasonable 
security for persons, property, or infor- 
mation), and intrusive, improper, and 
abusive reactive services and practices 
when responding to an incident. To better 
define what is meant, a few examples 
will be discussed. Thorough reviews of 
the legal issues encountered by a secu- 
rity organization are available (Hess and 
Wrobleski, 1996; Fischer and Green, 
1998). 

Failure to Protect 

This can refer to a variety of instances, 
including the negligence of security 



guards to protect patrons at a restaurant 
or other site, loss of property through 
employee embezzlement or fraud, and 
loss of information such as a trade secret. 
Failure to protect would also include loss 
of intellectual property, such as patents, 
copyrights, or trademarks, and loss of con- 
fidential information, including employee 
personnel files, patient records, or busi- 
ness records. 

Overreaction 

The liability incurred for overreaction 
involves incidents such as excessive use 
of force by a security officer, invasion of 
privacy by an investigator or technology, 
and false imprisonment by a security 
officer (Timm and Christian, 1991). While 
these issues are resolved through clear 
policies at the facility and training to rein- 
force the policy, many companies still do 
not align their policies and procedures 
with their practice. This exposes them to 
increased liability with respect to these 
types of events. A surprising number of 
companies do not train their security 
force in proper procedures on use of force 
or detaining an employee or other suspect 
for questioning. Since many guards are 
not sworn peace officers, they have no 
power of arrest, so this can be a liability. 

Labor/Employment Issues 

Many companies have organized labor 
(union-represented) employees and so 
must be aware of federal law pertaining 
to union membership drives, strikes, and 
conduct of disciplinary interviews and 
interrogations of union members. Other 
aspects of this area include Workers' Com- 
pensation claims, termination of employ- 
ment for security violations, and negligent 
hiring practices. While these cases do not 
represent a large number at any one facil- 
ity, they are issues that have surfaced at 
times and need to be considered within 
the broader context of how a company 
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chooses to operate. In addition, the law is 
clear that if an employee is hired and 
commits an illegal act on behalf of the 
company, the company is liable. This sort 
of finding has led many companies to ini- 
tiate background checks on employees for 
certain sensitive positions, such as secu- 
rity guards and supervisors. 

There are volumes of information avail- 
able on legal issues and security, as well 
as other publications that track and report 
on case law for security, such as the 
Private Security Case Law Reporter 
(Strafford Publications, Atlanta). As facil- 
ity information is collected and legal 
questions arise, consult with an attorney 
or review the many information sources 
on law and security to help develop 
guidelines, policies, and procedures that 
limit corporate liability while effectively 
protecting assets. 

Corporate Goals and Objectives 

When designing a PPS, it will be impor- 
tant to understand how the corporation or 
facility views the role of the security orga- 
nization. If security is seen as a required 
function that adds no value, it will be dif- 
ficult to establish an integrated security 
system using people, procedures, and 
equipment to meet the desired goals. It is 
important for senior management to see 
the security function as a part of the total 
business operation and a partner in the 
strategic plan for reaching corporate goals. 
For this reason, it is vital that the security 
system designer has the support of senior 
management. If senior management is not 
convinced of the importance of security to 
the business, they may be reluctant to 
commit any resources towards system 
development or improvement. In addi- 
tion, the security manager should be 
apprised of any impending major actions 
at the facility. Some examples include the 
purchase of a new operating division or 
site, anticipated layoffs, expansion or 
addition of production capacity, or sched- 



uled meetings or visits by corporate exec- 
utives or other officials to a site. This 
information is required in order to assure 
continued protection for assets or 
personnel. 

The first job of the security system 
designer, then, may be to convince execu- 
tives of the value and importance of at 
least evaluating a facility to see if there are 
any vulnerabilities, and then to present 
system improvements in a manner that 
shows them what value has been added. 
This is the goal of this textbook. The 
approach described throughout this text is 
meant to provide a business rationale to 
executives that will allow them to see the 
benefit of their investment, while at the 
same time helping the facility security 
manager apply available resources most 
effectively. Later in this book, a more 
detailed description of risk analysis will 
be presented, which will tie together all of 
the system pieces presented in the differ- 
ent chapters. 

Other Information 

The political environment in the sur- 
rounding community and internal to the 
facility can provide additional informa- 
tion for facility characterization. Local 
politicians or councils can have an effect 
on operations at a facility, and internal 
power struggles could have an effect on 
the value placed on security systems or 
functions. Liaison between the facility 
and local law enforcement can also be 
important, particularly if the facility 
will depend on this group for any 
response to a security event. The exis- 
tence of or membership in any mutual aid 
agreements with other industries in the 
area should also be investigated, because 
these agreements can provide additional 
resources to respond to or collect infor- 
mation from concerning threats. This will 
also allow links to others in the commu- 
nity for dealing with any emergency 
conditions. 
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Finally, it should be noted that the 
collection of data across different types 
of facilities will have some things in 
common (i.e., people are allowed in), 
some things that are different (a power 
company would have more infrastructure 
elements than a retail store), and some that 
are unique (a dam). As a result, there is no 
one-size-fits-all list of data or sources. This 
is also a dynamic process; as progress is 
made, additional data may be required or 
some data may become extraneous. 

Summary 

This chapter describes the process of col- 
lecting information to characterize a facil- 
ity. Prior to designing a PPS, as much 
information as possible should be gath- 
ered to understand the activities at the 
facility and the facility layout. This will 
help identify constraints, document exist- 
ing protection features, and reveal areas 
and assets that may be vulnerable. Areas 
of investigation include physical condi- 
tions, facility operations, facility policies 
and procedures, regulatory requirements, 
legal issues, safety considerations, and 
corporate goals and objectives. As more 
information is collected, additional areas 
of interest may emerge. When collecting 
information, a variety of sources should 
be used, including drawings, policies and 
procedures, tours, briefings, reference 
material, and personal interviews. 

Security Principle 

In order to design a system that will be 
effective, the PPS design must accommo- 
date the safety, process, and mission 
needs of the corporation and the facility. 
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Questions 

1. Pick three different facility types, for 
example, a retail store, a museum, 
and a power company, and describe 
the kinds of information needed to 
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characterize the facility and where it 
might be obtained. 

2. In groups of three, play the role of 
the security system designer for 
each of the facilities in Exercise 
1 and discuss how your facility is 
the same as and different than the 
others. 

3. Discuss how the collection of data 
about a facility requires information 



about the business goals for the 
company, use of security technol- 
ogy, and aspects of the criminal 
justice system. 
4. What impediments to a new or 
upgraded security system could a 
protection system designer encoun- 
ter? What would convince you, as 
the system designer, that a PPS 
could be effective at a facility? 
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The possibility that criminals or terrorists 
might attempt to steal assets or informa- 
tion, sabotage a facility, extort a person, 
or perform other criminal activities at 
industrial or government sites has created 
special problems for the protection of 
assets. The designers of PPSs and those 
in charge of setting requirements make 
certain assumptions about the intentions 
and capabilities of their perceived adver- 
saries. Assumptions are made when 
people in government or industry make 
budgetary allocations for physical protec- 
tion measures. Assumptions are made 
when a decision is reached to acquire or 
not to acquire certain kinds of hardware 
or to hire additional personnel. A study 
of the capabilities and intentions of poten- 
tial criminals or adversaries, although 
sometimes speculative, provides a basis 
for making such assumptions. The basis 
for making the needed assumptions 
should be predicated upon a thoughtfully 
developed threat statement that defines 
a reasonable assessment of the possible 
intentions, motivations, and physical 
capabilities of likely adversaries. In 
addition, the availability of on-site or 
local law enforcement response personnel 



is an important consideration. Once 
adversary types are identified, additional 
thought can go into determining the 
design basis threat, or the threat against 
which the facility or target will be pro- 
tected. This chapter will describe one 
approach that can be used to develop a 
definition of threat for a specific facility. 
The threat definition must be consid- 
ered when determining the objectives or 
evaluating the effectiveness of an 
existing PPS. 

The concept of the design basis threat 
describes the process and outcome of 
threat definition. Any facility will have 
records or a suspicion regarding which 
malevolent adversaries may attack. The 
threat may range from teenage vandals up 
through sophisticated terrorists. If a facil- 
ity performs experiments on animals or 
provides abortion services, extremists 
may try to disrupt or stop operations. Gov- 
ernment buildings and sites have become 
targets for various extremists, who have 
expressed their disagreement with gov- 
ernment policies in violent and dramatic 
ways (see Figure 3.1). Collecting this 
information, organizing it, and using it 
to determine which threat(s) a particular 
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Figure 3.1 Extremist Groups in the United States. Copyright Southern Poverty Law 
Center, Klanwatch Intelligence Project. Visit our Web site at http://www.splcenter.org for 
additional information 



facility may encounter, form the basis of 
defining the threat. 

PPSs must be designed to protect 
against these threats. As an example, the 
threat for Department of Energy (DOE) 
facilities is defined in the DOE Design 
Basis Threat Policy. Parts of this policy 
are classified information that is not avail- 
able to the general public. The Nuclear 
Regulatory Commission (NRC) specifies 
another, but similar, threat that commer- 
cial nuclear facilities use in the design 
and analysis of their PPS. 

Steps for Threat Definition 

The threat at one facility may not be the 
same as the threat for another. The threat 
may vary even for facilities making the 
same products or using the same opera- 
tions. In addition, one facility may face 
several different threats. It should be 
noted that threats are based on targets, so 



these objectives must be considered in 
parallel. 

The physical threat to a facility must be 
defined as part of determining the objec- 
tives of the PPS. A threat definition results 
in a detailed description of the physical 
threat by a malevolent adversary to the 
system. The description includes infor- 
mation about the potential actions, moti- 
vations, and physical capabilities of the 
potential adversary. 

The methodology for threat definition 
consists of three basic parts: 

1. List the information needed to 
define the threat. 

2. Collect information on the potential 
threat. 

3. Organize the information to make it 
usable. 

Each of the parts is important in deriving 
a complete definition of the threat(s) for a 
specific site. 
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Before time is spent collecting informa- 
tion, it is important to decide what kind 
of information is needed to complete a 
definition of threat for a site. A list of nec- 
essary information about adversaries 
includes: 

• motivation 

• potential goals based upon targets 

• tactics 

• numbers and capabilities 

A definition of threat must include a 
description of the type of adversary. In 
this book, adversaries are characterized in 
three broad groups — outsiders, insiders, 
and outsiders working in collusion with 
insiders. 

Outsiders 

Outsiders might include terrorists, crimi- 
nals, extremists, or hackers (Freedman 
and Mann, 1997). Motivations that might 
prompt potential adversaries to undertake 
criminal actions against an enterprise or 
facility can be grouped into three broad 
categories: 

• Ideological — Ideological motivations 
are those linked to a political or 
philosophical system. They would 
include those of political terrorists, 
antinuclear extremists, and certain 
groups of philosophical or religious 
fanatics. Some examples include 
anti-abortion, animal rights, militia, 
and various hate groups. 

• Economic — Economic motivations 
involve a desire for financial gain. 
Criminals might view material or 
information as potentially attractive 
targets for schemes of theft for 
ransom, sale, or extortion. 

• Personal — Personal motivations per- 
tain to the special situations of spe- 
cific individuals. Personal reasons for 



committing a crime could range from 
those of the hostile employee with 
a grievance against an employer, to 
those of the psychotic individual. 
Some attacks are a form of recreation, 
such as those initiated on computer 
systems by hackers. Other motiva- 
tions may be based on drug or alcohol 
dependencies, or the desire to sell 
drugs at the workplace. 

A discussion of the potential goals of 
the adversary includes what sorts of 
crimes these various adversaries are inter- 
ested in and capable of carrying out and 
which of these crimes are of concern to 
the specific site. Some of the potential 
goals of adversaries related to protecting 
information, assets, and people include 
theft, sabotage, extortion, kidnapping or 
violence against persons, misuse of the 
facility, and disclosure of classified or pro- 
prietary information. 

Insiders 

An insider is defined as anyone with 
knowledge of operations or security 
systems and who has unescorted access to 
facilities or security interests. A full range 
of insider threats would include an indi- 
vidual or individuals who are passive 
(e.g., provide information), active nonvio- 
lent (e.g., facilitate entrance and exit, 
disable alarms and communications), or 
active violent (participate in a violent 
attack). The active violent insider is a very 
difficult adversary to protect against. 
Although more than one insider is pos- 
sible, emphasis is placed upon addressing 
the single insider, the most probable 
insider threat. 

Recent surveys indicate that insiders 
are responsible for the majority of security 
breaches in both physical and computer 
security systems (Computer Security 
Institute [CSI], 1998; Radcliff, 1998; 
Pinkerton, 1997). When considering the 
threat of the insider, it must be recognized 



28 



Determining System Objectives 



that insiders can have the same motiva- 
tions as outsiders. Any employee may 
pose a potential insider threat, even 
trusted plant managers and security per- 
sonnel. It should not be assumed that 
since a person is an employee that he or 
she will be free from greed and dissatis- 
faction or invulnerable to cooperating 
with adversaries as a result of coercion. 
Insiders have three characteristics that 
distinguish them from other adversaries: 

• system knowledge that can be used 
to their advantage 

• authorized access to the facility, 
assets, or PPS without raising suspi- 
cions of others 

• opportunity to choose the best time 
to commit an act 

Protecting against insiders can be very 
challenging. Insiders may exploit their 
knowledge of facility operations and secu- 
rity system performance. They may also 
maximize their chance of success because 
they have access to critical areas or infor- 
mation and can choose their own time 
and strategy. Insiders also may abuse their 
authority, through their proximity to 
information and assets or as security per- 
sonnel. Guard forces represent a special 
and vexing problem. In one study at a 
facility, guards were responsible for 41% 
of crimes committed against guarded 
targets (Hoffman, et al., 1990). 

Figure 3.2 shows the protection 
approaches used across the entire threat 
spectrum. It shows that outsiders acting 
alone are deterred or denied by physical 
protection (physical security), while 
insiders are primarily defeated through 
additional procedural measures related to 
accounting for and tracking of critical 
assets (i.e., inventories, random searches, 
or scans). In the case of collusion between 
outsiders and insiders, strict control of 
critical assets is added to existing proce- 
dures and physical security measures. In 
this case, additional access controls and 
specific controls are placed on the move- 
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Figure 3.2 Protection Approaches across 
the Threat Spectrum 



ment of assets around or out of a facility. 
For example, in a manufacturing plant, an 
assembler of VCRs may collude with the 
driver of the food service truck to remove 
finished VCRs. This act may be countered 
by eliminating the capability of the 
employee to move items out of the pro- 
duction area or by tracking production 
items manually or automatically. 

Physical protection provides the most 
effective barrier to outsiders acting alone 
or in collusion with insiders, while the 
control of and accounting for assets are 
useful against insiders. Control and 
accounting are accomplished through 
the use of procedures, audits, and 
inventorying. 

Additional procedural protection mea- 
sures against insiders include the use of 
personnel security assurance programs, 
such as pre-employment background 
checks and periodic updates, and separa- 
tion of job responsibilities, so that two or 
more employees are required to complete 
sensitive tasks. This will decrease the 
probability of adversary success, because 
the cooperation of others is required and, 
as more people are aware of an imminent 
attack, tbere is a higher likelihood of it 
being reported. Many insider opportuni- 
ties are the result of procedural failures, 
not failures of technology. A recent 
notable example of this is the case of 
Aldrich Ames. Ames single-handedly 
compromised the entire U.S. intelligence 
gathering network in Russia (Earley, 
1997). In this case, a knowledgeable 
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insider with access to critical information 
was allowed to remain in a sensitive posi- 
tion, despite warning signs that should 
have been acted on during routine 
security clearance investigations. Other 
common examples of insider attacks are 
bank fraud and armored car robberies. 

Capability of Adversary 

Of utmost concern to the designer of a PPS 
is the capability of the potential adversary. 
The number of attackers to be defended 
against has always been a question of 
primary concern. It is also valuable to 
know how the adversary might be armed. 
Will the adversary have weapons and 
explosives and, if so, what kind? Other 
factors that describe adversary capabili- 
ties include a description of the adver- 
sary's tools and equipment, their means of 
transportation (truck, helicopter, etc.), 
extent of technical skills and experience, 
and whether or not they might have 
insider assistance. 

In addition to weapons, various tools 
can be used by the adversary to penetrate 
the security system. Part of threat defini- 
tion is an assessment of which tools the 
adversary may use. Tools may include 
hand tools such as bolt-cutters, pliers, or 
hacksaw blades, power tools, burn bars, 
or cutting torches, as well as any tools or 
equipment located at the facility. This 
might include such things as chemicals, 
forklifts, or facility vehicles. Figure 3.3 
shows a sample of some of the tools an 
adversary may choose to bring or adapt for 
use if located on-site. 

Adversary Tactics 

Adversaries will be expected to use any 
tactics that increase their chances of 
achieving their objective. These tactics 
include force, stealth, and deceit. A force 
tactic is one in which the adversary over- 
powers the system or personnel at a 
facility, with no attempt to hide their 



intention. The adversary will penetrate 
the security system with no concern for 
being observed and will likely have a 
weapon to compel others to cooperate. 
Stealth as a tactic refers to the adversary 
trying to enter a facility covertly and meet 
their objective. The goal is to remain 
undiscovered for as long as possible. 
Deceit implies the use of real or forged 
credentials to gain access to information 
or assets and remove them under the guise 
of authorized access. 

Clearly, different groups of adversaries 
will employ different tactics. Although 
insiders could use any tactic, they benefit 
most through the use of deceit; that is, 
they bear legitimate credentials and 
authorization to be near the target. Work- 
place violence incidents may be the 
most common use of force by an insider. 
A criminal might use a combination of 
stealth and deceit, and a terrorist might 
use a combination of stealth, then force. 
Consideration of the adversary tactic, or 
combinations of tactics, should be part of 
the threat definition for a facility. 



Potential Actions 

When an adversary attacks a facility, they 
have specific goals in mind. Potential 
actions of an adversary include trying 
to steal something, industrial espionage, 
sabotaging equipment or processes, extor- 
tion, blackmail, coercion, violence against 
others, or kidnapping. It is important to 
understand the actions of a potential 
adversary before designing a system so 
that appropriate protection elements can 
be included. For example, if a company 
finds that their expected threat is from an 
outside competitor gathering information 
through unauthorized access to computer 
systems, adding a high-security perime- 
ter-intrusion detection system may not 
reduce the likelihood of attack. However, 
if the threat is a group of criminals with 
help from a passive insider, a physical 
security system can be very effective. 
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Figure 3.3 Sample Adversary Tools. Available tools include weapons, hand and power 
tools, and cutting torches, as well as any equipment located at the site of the attack 



Collect Threat Information 



The local environment provides informa- 
tion about the threat for a specific site. 
Conditions outside the facility and 
inside the facility should be considered. 
Conditions outside the facility, such as 
the general attitude of the community, 
whether the surrounding area is urban or 
rural, and the presence of organized 
extremist groups, can provide information 
on threats. Conditions inside the facility, 
such as the workforce, labor issues, 
industrial relations policies, public rela- 
tions policies, security awareness, and 
human reliability programs, may also 
affect the potential threat. 



A review and characterization of the 
local and national population can be 
useful in determining a potential threat to 
a specific facility. Any discontented or 
disgruntled faction of the population 
should be reviewed. For this faction, 
special attention should be given to 
combat veterans, technically skilled 
people, political extremists, and employ- 
ees with experience in or access to similar 
facilities. 

There are several features of a facility 
that may make it more or less attractive to 
an adversary if there is a perception that 
these features can be used to adversary 
advantage. Geographic and structural dif- 
ferences of the facility, the attractiveness 
of specific assets, and the adversary's 
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assessment of PPS effectiveness are a few 
of these features. 

To determine the threat, information 
should be sought for regional, national, 
and international threats, depending on 
the mission and location of the facility. 
Sources for this information include: 

• intelligence sources 

• crime analysis, studies 

• professional organizations and 
services 

• published literature 

• government directives and 
legislation 

Intelligence Sources 

Intelligence sources can provide detailed 
information about the current activities of 
groups, which might pose a threat to facil- 
ities. It is important that current informa- 
tion be received and reviewed constantly. 
It is also important to establish a 
network for talking with and receiving 
information from national law enforce- 
ment and intelligence sources. Establish- 
ing this relationship early provides an 
advantage in receiving important infor- 
mation. Security concerns and interests 
must be expressed clearly and specifically 
to these sources. They need to understand 
what information is desired and why it 
is desired. Information that should be 
provided to help them understand your 
problem includes the following: 

• specific facility or facilities of 
concern 

• adversary objectives to be prevented, 
such as theft, sabotage, industrial 
espionage, and the targets to be 
protected 

• information about the kinds of 
incidents at your facility or other 
facilities (burglaries, trespassing, 
espionage) 

Requests that are too general may go 
unanswered. 



The advantage of establishing a network 
for talking with local law enforcement 
and intelligence sources is to gain their 
cooperation and to obtain approvals 
for receiving information from national 
sources. 

Crime Studies 

A review of past and current crimes com- 
mitted locally, nationally, and interna- 
tionally can provide useful information 
in characterizing the potential threat. 
Lacking an adequate sample of incidents 
from which to build a profile of adver- 
saries, analysts might expand their study 
to include actual crimes outside the spe- 
cific domain of the site that are in some 
way analogous to possible but uncom- 
mitted crimes. For facilities with high 
value or high consequence assets, review 
sophisticated burglaries, major armed 
robberies, and industrial sabotage. Crimes 
committed by well-educated, professional 
people may provide additional insight. 
Research incidents involving political 
extremists, such as terrorist assaults and 
symbolic bombings, where a political 
statement — and not the destruction of the 
target — was the primary aim. Examine the 
criminals (arsonists, psychotic bombers, 
and mass murderers) as well as the crimes 
themselves for clues about the criminals' 
sometimes bizarre motivations and 
capabilities. 

Professional Organizations 
and Services 

Nongovernment networks for information 
exchange can provide information on the 
assessment of threat. Academic, research, 
and industrial organizations meet period- 
ically to discuss current topics, and 
security issues and problems are often 
included. A network can be established 
to compare perceptions of the threat 
problem at local, national, and interna- 
tional levels. National professional orga- 
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nizations, such as the American Society 
for Industrial Security and the Computer 
Security Institute (CSI, 1998), publish 
surveys on insider threats, costs of crime 
in industrial facilities, and threats from 
hackers. 

In addition to the use of professional 
organizations, some professional services 
are also available to help in threat defi- 
nition. Consultants in investigation, 
surveillance, business intelligence, due 
diligence, and computer systems have the 
expertise and insight to provide useful 
threat information to corporations or 
enterprises. Other professional services 
may include behavioral psychologists, 
criminologists, and attorneys, who can 
provide profiling information or advise on 
recent court cases and rulings that may 
help identify emerging threat areas. 



Published Literature and 
the Internet 

A complete search of current literature 
can provide extensive information con- 
cerning the threat. Information can be 
obtained from open sources and from 
library and research organizations. Open 
literature sources include national infor- 
mation services and publications, news- 
papers, news broadcasts, and publications 
on specific topics. Library and research 
organizations have electronic databases, 
newspaper microfilm banks, and cross- 
references for material that make it easy to 
find information concerning a threat if it 
exists. The Federal Bureau of Investiga- 
tion (FBI) maintains a bomb data center 
and has a Web page that contains crime 
statistics and recent publications (FBI, 
1999). Under the auspices of the National 
Institute of Justice, JUSTNET is main- 
tained by the National Law Enforce- 
ment and Corrections Technology Center 
(NLECTC), and is a comprehensive source 
of law enforcement and corrections infor- 
mation, including recent news items 
regarding threats (NLECTC, 1999). Of 



particular interest may be articles or 
reports discussing emerging threats, such 
as chemical/biological attacks, non-state- 
sponsored terrorist acts, international 
crime including narcotics trafficking, and 
information warfare. 



Government Directives and 
Legislation 

Various pieces of government legisla- 
tion and directives provide information 
about expected or emerging threats. These 
sources may provide additional insight 
regarding potential threats to a facility 
or industry and may also serve advance 
notice to some industries of government 
interest in protecting certain targets 
against threats. 

The recent presidential Combating Ter- 
rorism directive (PDD-62) highlights the 
growing threat of unconventional attacks 
against the United States. It details a new 
and more systematic approach to fighting 
terrorism by bringing a program manage- 
ment approach to U.S. counter- terrorism 
efforts. The directive also establishes 
the office of the National Coordinator 
for Security, Infrastructure Protection, and 
Counter-Terrorism, which will oversee 
a broad variety of relevant policies 
and programs, including areas such as 
counter-terrorism, protection of critical 
infrastructure, preparedness, and conse- 
quence management for weapons of 
mass destruction (CIAO, 1998). 

The Critical Infrastructure Protection 
directive (PDD-63) calls for a national 
effort to assure the security of the in- 
creasingly vulnerable and interconnected 
infrastructures of the United States. 
Such infrastructures include telecom- 
munications, banking and finance, energy, 
transportation, and essential government 
services. The directive requires immedi- 
ate federal government action, including 
risk assessment and planning to reduce 
exposure to attack. It stresses the critical 
importance of cooperation between the 
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government and the private sector by 
linking designated agencies with private 
sector representatives (CIAO, 1998). 

Moreover, Executive Order 13010, 
which formed the President's Commis- 
sion on Critical Infrastructure Protection, 
was signed by President Clinton on July 
15, 1996. This order mandates that those 
facilities that are part of the national 
critical infrastructure be reviewed and 
adequately protected as a matter of 
national security (PCCIP, 2000). The list 
includes: 

• Information and communications 

• Electrical power systems 

• Gas and oil transportation and 
storage 

• Banking and finance 

• Transportation 

• Water supply systems 

• Emergency services 

• Government services 

Legislation passed by Congress in the 
past few years shows an increased empha- 
sis on the emerging threats of chemical 
and biological warfare, domestic terror- 
ism, and the preparedness of state and 
local agencies to counter these threats. 
For example, the 1996 Anti-Terrorism 
Act increases penalties for conspiracies 
involving explosives, expands penalties 
for possession of nuclear materials, and 
criminalizes the use of chemical weapons 
within the United States, or against Amer- 
icans outside of the United States. This 
act also directs the Attorney General to 
issue a public report on whether literature 
or other material on making bombs or 
weapons of mass destruction is protected 
by the First Amendment, authorizes the 
Secretary of State to designate groups as 
terrorist organizations, and authorizes 
more than $1 billion over five years for 
various federal, state, and local govern- 
ment programs to prevent, combat, or deal 
with terrorism. This legislation and others 
may provide additional useful informa- 
tion when identifying threats to certain 



assets or targets (Close Up Foundation, 
1997). Related to this effort, studies have 
been performed for the government that 
provide information in defining threats, as 
well as state and local capability to 
respond (Riley and Hoffman, 1995). 

Organize Threat Information 

After all of the threat information has 
been collected, it is necessary to put it in 
a form that makes it usable. Table 3.1 lists 
the type of information required and pre- 
sents a way to organize the information 
to define an outsider threat. The table 
is designed to address three outsider 
adversary groups: terrorist, criminal, and 
extremist. Other outsider groups could be 
added to the table or could replace one of 
the originals. For each outsider adversary 
group, assessments of the likelihood of 
potential actions are asked for concerning 
theft, sabotage, or some other action iden- 
tified. The assessments are qualitatively 
judged to be high, medium, or low. In the 
same way, judgment of the category of 
motivations for each outsider adversary 
group can be high, medium, or low. 
Finally, outsider adversary capabilities 
can be tabulated. For each adversary 
group, specific data should be listed for 
each topic under capabilities. 

Information to define an insider threat 
is described in Table 3.2. The different 
types of insiders at a facility should be 
listed in the left column and the informa- 
tion in the table completed for each type 
of insider. Types of insiders might include 
the PPS designer, security console opera- 
tor, maintenance person, engineer, cleri- 
cal workers, security manager, and so on. 
Questions are asked about how often 
each type of insider has access to the asset 
or vital equipment, or the PPS. Based 
upon this access information, assessments 
of the likelihood of theft, sabotage, and 
collusion are made. The assessments for 
each type of insider are high, medium, 
or low. 
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Table 3.1 Outsider Adversary Threat Spectrum. 



Each threat is rated in each category to summarize outsider threat data. Additional 
groups can be added or used as a replacement for those shown. Capabilities are 
assessed at a high, medium, or low ranking. 




Type of Adversary 


Potential Action Likelihood (H, M, L) 


Terrorist 


Criminal 


Extremist 


Theft 








Sabotage 








Other 








Motivation (H, M, L) 








Ideological 








Economic 








Personal 








Capabilities 








Number 








Weapons 








Equipment and tools 








Transportation 








Technical experience 








Insider assistance 









After all of the information has been 
completed in the tables, the adversary 
groups can be compared and ranked by 
type in order of their threat potential. This 
definition of threat provides the designer 
or analyst of a PPS with the information 
needed for a specific site. However, even 
though one threat is identified as the 
highest potential (and becomes the design 
basis threat), the PPS must be evaluated 
against the entire threat spectrum. 



Sample Threat Statements 

The following is a sample Nuclear Regu- 
latory Commission (NRC) published 
design basis threat that is used to design 
and evaluate safeguards systems for 
nuclear power plants for protection 
against acts of radiological sabotage and 
theft of special nuclear material. The 
threat is considered to include a deter- 
mined, violent external assault, attack by 
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Table 3.2 Insider Adversary Threat Spectrum. 



Different types of insiders are listed and information describing the threat is shown in 
the table. 


Insider 


Access to 
Asset (often, 
seldom, never) 


Access to PPS 
(often, seldom, 
never) 


Theft 

Opportunity 
(H, M, L) 


Sabotage 
Opportunity 
(H, M, L) 


Collusion 
Opportunity 
(H, M, L) 



















































stealth, or deceptive actions, of several 
persons with the following attributes, 
assistance, and equipment: 

• well-trained (including military 
training and skills) and dedicated 
individuals; 

• inside assistance, which may include 
a knowledgeable employee in any 
position who attempts to participate 
in a passive role (e.g., provide infor- 
mation), or an active role (e.g., facili- 
tate entrance and exit, disable alarms 
and communications, participate in a 
violent attack), or both; 

• suitable weapons, up to and includ- 
ing hand-held automatic weapons, 
equipped with silencers and having 
effective long-range accuracy; 

• hand-carried equipment, including 
incapacitating agents and explosives 
for use as tools of entry or for other- 
wise destroying reactor, facility, 
transporter, or container integrity or 
features of the safeguards system; 

• land vehicles used for transporting 
personnel and their hand-carrier 
equipment; and, 

• the ability to operate as two or 
more teams. 

This threat statement also considers the 
potential for a conspiracy between indi- 



viduals in any position who have access 
to and detailed knowledge of nuclear 
power plants or the facilities, or items that 
could facilitate theft of special nuclear 
material (e.g., small tools, substitute mate- 
rial, false documents, etc.), or both. 

The following is another threat state- 
ment that identifies and characterizes a 
potential threat for a semiconductor man- 
ufacturer. Facility interests shall be pro- 
tected against theft of product, production 
materials, tools and equipment, personal 
computers or components, and personal 
property for financial gain. The threat may 
include up to three people who perpetrate 
criminal acts for economic gain. Normally 
this group doesn't commit acts of violence 
in furtherance of the crime, but they may 
resort to less than deadly force to resist or 
avoid capture. This individual or group 
typically commits crimes of opportunity 
and frequently targets easily accessible 
and removable assets that can be person- 
ally used or readily sold. Attack methods 
include stealth and deception, may be an 
insider or assisted by one, may have 
extensive knowledge of the facility, and 
may use weapons other than firearms to 
avoid capture but will not use explosives. 
Additional threats to this facility may be 
disgruntled employees and industrial 
espionage, each of which would require 
their own specific characterization. 
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Another sample design basis threat 
statement reads as follows: 
The design basis threat shall serve to: 

• establish a safeguards and security 
program and requirements, 

• provide a basis for site safeguards 
and security program planning im- 
plementation and facility design, 

• provide a basis for evaluation of 
implemented systems, 

• support counterintelligence pro- 
grams and requirements, and 

• provide a basis for evaluation of 
counterintelligence risks posed to 
interests. 

This threat statement describes a base- 
line threat spectrum. In the development 
of this threat, site-specific geographical, 
environmental, or other unique facility or 
location characteristics were not con- 
sidered. Site-specific threat statements 
should be modified to take into account 
unique local and regional threat consider- 
ations to supplement the design basis 
threat. 

For example, types of adversary groups 
that could be included within the site- 
specific threat definition include: 

• Terrorists — persons or groups who 
unlawfully use force or violence 
against persons or property to intim- 
idate or coerce a government, the 
civilian population, or any segment 
thereof, in furtherance of political or 
social objectives. 

• White Collar Criminal — individual 
who seeks classified and/or sensitive 
unclassified information or material 
or attempts to alter data maintained 
for the purpose of gaining economic 
advantage for the individual or the 
individual's employer. 

• Organized Criminals — persons who 
perpetrate criminal acts for profit or 
economic gain. 

• Psychotic — person suffering from a 
mental disorder of sufficient magni- 



tude to experience periodic or pro- 
longed loss of contact with reality. 

• Disgruntled Employee — individual 
who engages in vindictive, violent, 
or malicious acts at or directed 
against the place of employment. 

• Violent Activists — a group or indi- 
vidual who commits violent acts out 
of opposition to programs for ecolog- 
ical, political, economic, or other 
reasons. 

• Intelligence Collector — individual 
who uses human intelligence me- 
thods and engages in clandestine 
intelligence gathering on behalf of 
a foreign intelligence service. 

In conclusion, a well-constructed threat 
statement will be established by an appro- 
priate group with relevant information, 
undergo periodic review and update, sup- 
plement corporate policy with local threat 
assessment, address insider potential, and 
provide threat details including numbers, 
equipment, weapons, transportation, and 
motivation. Once this information has 
been collected and summarized it should 
be protected as classified or sensitive and 
access to it should be limited. 



Summary 

One approach has been presented for 
completing a definition of the threat for a 
specific site. The approach suggests the 
type of information required and possible 
sources of that information to develop a 
description of the threat. The information 
can be summarized and used in ranking 
the adversaries in order of their threat 
potential. The summary comprises the 
threat spectrum, from which the design 
basis threat can be selected. The design 
basis threat is the maximum credible 
threat to a facility. The final definition of 
threat for a specific site is required infor- 
mation for the PPS designer and system 
effectiveness analyst. Once established, 
this information should be protected and 
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its distribution limited. This design basis 
threat should be reviewed and updated 
periodically, or as events dictate. 



Security Principle 

Design Basis Threat — A facility PPS is 
designed based on the maximum credible 
threat to the facility. The final design 
should be checked against the entire 
threat spectrum. Once established, the 
design basis threat should be protected as 
classified or sensitive proprietary data. 
The threat statement should be reviewed 
periodically and updated as necessary. 
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Questions 

1. Using Tables 3.1 and 3.2, pick 
a sample facility and create a 
threat spectrum. Select a design 
basis threat and explain your 
selection. 

2. Why is it so important to complete a 
threat definition before designing a 
physical protection system? 

3. What work conditions are important 
in the evaluation of the insider 
threat? 

4. Explain why threat definition con- 
siders international threat in addi- 
tion to a local or national threat. 

5. What are other sources of informa- 
tion on threat? 

6. What are the different ways that 
an insider can help an outsider 
adversary? 
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Target identification provides the basis for 
PPS design by focusing on what to 
protect, and PPS design addresses how- 
to protect. Target identification is an eval- 
uation of what to protect without con- 
sideration of the threat or the difficulty 
of providing physical protection. In 
other words, target identification identi- 
fies areas, assets, or actions to be pro- 
tected. The threats to these items, and the 
ease or difficulty of protecting the items 
against a particular threat, are considered 
after the items are identified. In this 
chapter, the terms target and asset are 
used interchangeably; in succeeding 
chapters, asset will refer to any target of 
an adversary attack. 

Figure 4.1 summarizes the steps 
involved in target identification. These 
steps are discussed in the following 
sections. 



Undesirable Consequences 

It is not possible or practical to protect all 
assets at a facility. Effective security pro- 
tects a minimum, yet complete, set of 



items. The criteria for selecting items to 
protect depend on the undesirable conse- 
quences to be prevented. Some undesir- 
able consequences are: 



Loss of life 

Theft of material or information 

Environmental damage due to release 

of hazardous material by theft or 

sabotage 

Interruption of critical utilities such 

as water, power, or communications 

Degraded business operations 

Workplace violence, extortion, 

blackmail 

Building collapse 

Damage to reputation 

Legal liability 



It should be apparent that the conse- 
quence of the loss may cover a spectrum, 
from unacceptable (loss of life) to finan- 
cial loss (industrial espionage) to the rel- 
atively less severe (damage to reputation). 
The process of target identification uses 
the consequence of the loss to help deter- 
mine which assets should be protected 
and to what extent. For example, the loss 
of proprietary data from a facility, while 
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Figure 4.1 Steps in Target Identification 



undesired, could not be compared to the 
loss of a life. Thus, we assume that loss of 
life is the highest consequence event, and 
other undesired consequences are lower 
in comparison. This is not to say that loss 
of life is the only high consequence event 
at a facility. 

Consequence Analysis 

A major result of target identification 
will be the prioritization of targets based 
on the consequence of the loss of the 
asset. This is accomplished by first listing 
all of the targets at a facility or within 
an enterprise, determining the level of 
the consequence of loss (i.e., high, 
medium, or low), estimating the proba- 
bility of the occurrence of the event, and 
finally, assessing where a particular 
threat fits. The consequence measure 
may be in dollars, loss of life, loss of re- 
putation, or a combination of these, but 
it should establish consistency among 
targets to allow for relative ranking of the 
consequences. The probability of occur- 
rence, which is the likelihood that an 
adversary will attack, may be obtained 
through use of historical records or be 
based on information obtained during 
threat definition. This process can be 
expedited through the use of a matrix, as 
shown in Table 4.1. 



In Table 4.1, the target is a pump station 
at a water utility. Consequence analysis of 
the station yields the matrix shown in the 
table. Thus, the highest consequence 
event appears to be the threat of a terror- 
ist using a chemical or biological agent to 
contaminate the water supply. A lower 
consequence event is the possibility of 
sabotage by an insider or a citizen with a 
grudge against the company or the town. 
The lowest consequence event is charac- 
terized as vandals spraying graffiti on 
walls, equipment, or other property. In 
addition to the ranking of consequence, it 
is also important to establish the proba- 
bility of occurrence of the event. In the 
pump station example, there is a high 
probability that kids will spray graffiti on 
pump station property. Although this has 
a high probability of occurring, the con- 
sequence of graffiti sprayed on walls or 
equipment is much less than the conse- 
quence of contamination of the local 
water supply. In a like manner, the 
probabilities of the terrorist attack 
and sabotage event have been assessed to 
be a medium probability. This analysis 
shows that there is a moderate probability 
of a terrorist attack or a sabotage event, 
but the consequence of the terrorist 
attack is higher, so preventing contamina- 
tion of the water supply is the highest 
priority. 

This matrix is a quick way to relate con- 
sequence, probability of occurrence, and 
threat. Use of this matrix helps to deter- 
mine the risk to a facility across a threat 
spectrum and at varying consequence 
levels. This information will be useful in 
allocating resources within the protection 
system design and for more complete risk 
analysis, which will be covered in more 
detail in Chapter 15, "Risk Assessment." 
In a quantitative analysis, consequence 
values fall between and 1.0, with 1.0 
being the highest consequence loss. Con- 
sequence values may also be established 
using a qualitative scale of high, medium, 
and low, based on the relative conse- 
quence of loss. 
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Table 4.1 Consequence Analysis of Pump Station. 



The threat spectrum is placed inside the table at the place where the consequence of 
the loss and the probability of adversary attack intersect. 



High 
Consequence 




Chem/Bio Contamination 
(Terrorist) 




Medium 
Consequence 




Sabotage (Insider, upset citizen) 




Low 
Consequence 






Graffiti 
(Vandals) 




Low 
Probability 


Medium 
Probability 


High 
Probability 



Targets 



When target identification is focused on 
theft, all assets of concern must be pro- 
tected. When target identification is con- 
cerned with sabotage, there may exist 
choices of target sets to protect. For 
example, a dam will have a control room 
and various valves and pumps to control 
the flow of water. Protection of certain 
components within selected systems may 
prevent malevolent flooding if compo- 
nents of other systems are sabotaged. That 
is, sabotage concerns may sometimes be 
addressed by protecting one critical set 
from among a number of sets of items. 
The selection of a set to be protected is 
determined by the ease of providing pro- 
tection, the operational impact of provid- 
ing protection, and the consequence of the 
loss. Targets may also include people, 
such as workplace violence against any 
employee or focused on senior executives. 
When targets include people or executive 
protection, additional information and 
planning may be required. Executive pro- 
tection is not a specific focus of this book. 
Many good references are available for 
details regarding this activity (Braunig, 
1993; Oatman, 1997; Hawley and Holder, 
1998). If senior executives are identified 
as targets, additional personal protection 



will be required. This book is mainly 
focused on protection of assets and infor- 
mation at a facility, where one of the 
assets will be people. 

The selection of a limited set of com- 
ponents to be protected against sabotage 
is intended to minimize the difficulty 
of providing protection. The PPS is 
designed to protect a minimum number 
of critical components to a high degree. 
This set of components must be complete; 
that is, protection of the minimum set 
must completely prevent the undesir- 
able result regardless of sabotage of 
components not included in this pro- 
tection set. 

There is one final note concerning 
targets. In large, complex facilities, there 
may be many theft, sabotage, or other 
targets. Very often these targets are dis- 
tributed throughout the facility. For 
example, there may be multiple buildings, 
each with critical assets, or a large build- 
ing with many smaller targets, such as 
finished product, laptop computers, pro- 
prietary information, and tools. For large 
facilities with distributed targets, a PPS 
must be designed around the entire area 
containing the assets. On the other hand, 
some facilities, while complex, may 
contain certain localized targets. Exam- 
ples include explosive storage facilities, 
power substations, transmission towers, 
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dams, and computer equipment rooms. In 
this case, the PPS may be concentrated 
on a smaller area. This reduction in size 
can be a very cost-effective method for 
protecting critical assets. 



Techniques for Target 
Identification 



The two techniques for target identi- 
fication discussed in this chapter are 
manual listing of targets and use of logic 
diagrams to identify vital areas. A section 
explaining logic diagrams is provided 
below as an introduction to vital area 
identification. 



Manual Listing of Targets 

For theft of localized items such as com- 
puters, tools, proprietary information, or 
work-in-process, the manual listing of 
targets is an appropriate technique. This 
technique consists of listing all significant 
quantities of assets of concern and their 
locations. The list provides the targets to 
be protected. 

The manual technique can also be 
applied to theft of product-in-process 
(such as semiconductors or drugs) or sab- 
otage of critical components if the facility 
is simple. For complex facilities, the 
manual technique is limited for both of 
these concerns. Product-in-process may 
include pills just ready to be packaged, or 
filled bottles waiting to be loaded into 
cases. These intermediate process steps 
may be good theft targets, particularly for 
insiders. If a production line is very 
complex, or there are multiple production 
lines at work, the opportunities for theft of 
these drugs may be broadly distributed 
throughout the plant, not limited to the 
end of the production line. In addition, 
storage and shipping areas are also areas of 
interest. Or, consider a large petrochemi- 



cal plant with sabotage as a concern. 
Many complex systems, each with hun- 
dreds of components, interact to produce, 
route, and store the finished products. 
Furthermore, many support systems 
such as electrical power, ventilation, and 
instrumentation are interconnected to 
primary components such as pump motors 
in a complex manner. Target identification 
must consider which systems and compo- 
nents to protect and their interaction with 
other support systems. 

When the facility is too complex for a 
manual identification of targets, a more 
rigorous identification technique may be 
used. The following sections discuss 
this technique in detail. They describe a 
methodical, comprehensive way to logi- 
cally consider which systems and compo- 
nents must be protected to prevent an 
undesirable result. 



Logic Diagrams 

The logic diagram is a useful tool for 
determining the potential theft and 
sabotage targets for a complex facility. 
One type of logic diagram, called a fault 
tree (Fussell, 1976), graphically repre- 
sents the combinations of component and 
subsystem events that can result in a spec- 
ified undesired state. A simple logic 
diagram for penetrating the outer bound- 
ary of a site with some physical protec- 
tion components present is shown in 
Figure 4.2. The following discussion on 
logic diagrams borrows heavily from the 
notation used in digital electronics 
(Putman, 1986). 

In this example, the undesired event is 
to defeat the boundary, which can be 
accomplished by defeating the personnel 
or vehicle portals, or by passing over or 
under the boundary, or by defeating the 
fence. Further elaboration of the actions 
required to defeat the personnel and 
vehicle portals, as well as defeating the 
fence, is also shown. 
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Figure 4.2 Simple Logic Diagram. The diagram develops all the ways to penetrate the 
outer boundary of a facility 



In a more complex example, one unde- 
sired consequence (or event) for a dam is 
the uncontrolled release of large quanti- 
ties of water as a result of sabotage of crit- 
ical components. The PPS is intended to 
prevent sabotage of these components. 
Logic diagrams that are intended to iden- 
tify the sets of components an adversary 
would have to sabotage to cause the con- 
sequence are called sabotage fault trees 
and are used for vital area analysis. They 
describe the actions an adversary must 
accomplish to cause sabotage, and they 
can be used to identify the areas (loca- 
tions) to be protected in order to prevent 
sabotage. 

Figure 4.3 illustrates the symbols that 
are used in logic diagrams. The logic 



diagram shown represents relationships 
between events. Each event will have a 
written description in the large rectangle 
in the logic diagram. A smaller rectangle 
placed immediately under the descrip- 
tion will show the event name or label. 
Event names should be brief and may be 
formed from combinations of letters and 
numbers. 

The symbols of the logic diagram shown 
in Figure 4.3 will be discussed in detail. 
These include symbols for logic gates, 
events, and transfer operations. Two kinds 
of logic gates, the AND gate and the OR 
gate, are used in the logic diagrams. Gates 
have inputs and an output. Inputs enter the 
bottom of the gate; outputs exit the top of 
the description rectangle above the gate. 
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Figure 4.3 Logic Diagram Symbols. The 
logic diagram is a graphical representa- 
tion of combinations of events that can 
result in a specified state or event. Each 
symbol has a specific meaning 




Figure 4.4 Example of an AND Gate. All 
inputs must occur for the output to occur 



OR gate whose inputs are Events 1-1, 1-2, 
and 1-3. Event E-OR occurs if one or more 
of Events 1-1, 1-2, or 1-3 occur. 



AND Gate 

The shape of the AND gate is a round arch 
with a flat bottom (see Figure 4.4). For the 
undesired event described above the AND 
gate to occur, all of the events that have 
an input into the AND gate must occur. 
Thus, if any one of the input events can 
be prevented, the event described above 
the AND gate will be prevented. For 
example, assume Event E-AND is gener- 
ated by an AND gate whose inputs are 
Events 1-1, 1-2, and 1-3. Event E-AND will 
occur if, and only if, Events 1-1, 1-2, and 
1-3 all occur. 

OR Gate 

The shape of the OR gate is a pointed arch 
with a curved bottom (see Figure 4.5). For 
the undesired event described above the 
OR gate to occur, any one (or more) of the 
events that input to the OR gate must 
occur. All of the input events must be pre- 
vented in order to prevent the event 
described above the OR gate. For example, 
in Figure 4.3, Event E-OR is defined by an 



Events 

There are several types of events in logic 
diagrams. They include end events, inter- 
mediate events, and primary events. If an 
event is not used as input to another gate, 
it is called an end event. Logic diagrams 
have only one end event, the topmost 
event of the tree. In Figure 4.3, Event 1 is 
the end event. Sometimes this event is 
also called the treetop. Events that have 
both inputs and outputs are called inter- 
mediate events. In Figure 4.3, Event 1-2 is 
an intermediate event. 



Primary Events Events that do not have 
an input are called primary events. They 
represent the start of actions that ulti- 
mately generate the end event. Two types 
of primary events are distinguished by the 
symbol that appears immediately below 
the name of the primary event: the basic 
event and the undeveloped event. 

The basic event is symbolized by a 
circle below the rectangle, as shown in 
Figure 4.6. A basic event can be under- 
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Figure 4.5 Example of an OR Gate. Any 
one of the inputs must occur for the 
output to occur 




Figure 4.6 Basic Event. These are the 
starting events that lead to the end event 



X> 



stood and evaluated qualitatively or quan- 
titatively, depending on the purpose of the 
analysis, without further development of 
the event into causes or specific cases. 
In Figure 4.3, Events 1-1 and 1-3 are basic 
events. 

Figure 4.7 shows an undeveloped 
event, symbolized by a diamond below 
the rectangle. An undeveloped event is an 
event whose causes are insufficiently 
understood to be included in the logic 
diagram. For the purpose of evaluation, 
the undeveloped event is treated as a 
basic event. The conclusions drawn from 
the analysis of a tree that contains an 
undeveloped event are tentative and 
subject to revision if the event is better 
characterized. In Figure 4.3, Event 2-2 is 
an undeveloped event. 

Transfer Operation The transfer opera- 
tion is represented by an upright triangle. 
The transfer operation is used to make 
the graphic display of the logic tree more 
compact and readable. Because many 
logic diagrams, as they are developed, 
occupy a wide left-to-right space across a 
page, it might be necessary to disconnect 
the development of an event and place it 



Figure 4.7 Undeveloped Event. These are 
events where causes are not sufficiently 
understood to be included in the logic 
diagram 

at a more convenient position on the page 
or on another page. To connect the event 
and its development without drawing a 
line between separate figures, the transfer 
symbol is used. 

An example of the transfer symbol 
is shown in Figure 4.8. The diagram 
shown contains one transfer symbol. 
The transfer operation is shown at the 
bottom as a separate diagram. The devel- 
opment of Event 1-2 is transferred. 
Event 1-2 is shown twice: once in the 
diagram whose development is truncated 
by the transfer and once at the top of the 
subdiagram that develops Event 1-2. In 
general, an event may occur at several 
places in a logic diagram, and the 
common development of that event may 
be transferred. The development will 
appear only once on the page. The A 
which appears within the transfer symbol 
to the left of Event 1-2 is the name of 
the event for which Event 1-2 is an input. 
In general, there will be a list of every 
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Figure 4.8 Example of the Transfer Oper- 
ation. Event A has been developed in a 
different location on the diagram. Trans- 
fer operations make the logic diagram 
more compact and readable 



event to which the transferred event is 
an input. 

Vital Area Identification 

To develop a PPS for a facility, it is 
necessary to determine which assets are 
attractive for theft, the equipment that a 
saboteur must damage in order to halt or 
reduce production, and the location of 
that equipment within the facility. Mate- 
rial that is attractive for theft is relatively 
easy to designate. Because both the func- 
tion and structure of a given facility can 
be very complex, the choice of compo- 
nents and facility areas to protect as vital 
in the prevention of undesired events is 
usually not obvious. Locations containing 
equipment to be protected against sabo- 
tage are called vital areas. To identify the 
vital areas of a facility in a comprehensive 
and consistent way requires a rigorous 
structured approach. This section pre- 
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"What constitutes an event? 
Ex Consequences of Loss of Dam 

"What are causes? 
Ex Flood, Loss of Navigation, Loss of Power 

What are distinct operating states of facility? 
Ex Peak Power. Seasonal Adjustment, Shutdown 



What systems are used? 

Ex Locks. Turbines, Computer Control 



What failures are necessary to cause event? 
Ex Destroy Lock, Disable Turbine, Loss of SCAD A 



Where are the components that must fail located? 
Ex Valve Head, Turbine Room, Control Room 



Analysis 



Figure 4.9 Steps in Vital Area Identifica- 
tion. Using a dam as an example, the steps 
are followed to determine the areas that 
require sabotage protection 



sents techniques that are useful to the per- 
formance of the required analysis. Many 
times, once the vital area identification 
has been performed, it may be reused for 
other similar facilities, where the con- 
struction and layout of the facility are 
the same, or where operations are located 
in the same areas. 

The basic steps used to identify vital 
areas in facilities are summarized in 
Figure 4.9. These steps are applicable to 
any facility. The following discussion 
uses a dam as an example of the vital area 
identification process. 

First, the undesirable consequences for 
a given facility must be defined. This 
level, in turn, determines the events that 
must be considered and helps to establish 
the required scope of the analysis. The 
second step is to identify the sources of 
the undesired consequences. 

Third, the facility's operating states 
must be identified. For a dam, operating 
states include peak power operation, 
adjustment to seasonal climate (such as a 
rainy or dry season), and shutdown. Some 
of the equipment necessary to prevent a 
consequence during one operating state 
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may not be required during another. Thus, 
it may be appropriate to identify different 
sets of vital areas for the different modes 
of operation at a facility. 

In the fourth step, the system failures 
that could lead to an event must be deter- 
mined. This step can be the most com- 
plicated and time-consuming part of the 
process in a complex facility with redun- 
dant systems or multiple operations. 
A systematic analytical technique is 
required in order to ensure that the many 
possible failure mechanisms are rigor- 
ously taken into account and compre- 
hensively reviewed. This will require 
identification of the systems in use. This 
will lead to the next step: determining 
what functional failures are required to 
cause the undesired consequence. 

In order to identify vital areas it is nec- 
essary, in step six, to determine all the 
locations in the facility at which each 
failure can be accomplished. After the 
detailed information on system failure 
and component locations is collected, the 
sabotage fault trees are analyzed using 
a computer code for Boolean algebra 
manipulation as the final step in the 
process. Analysis of the fault trees with 
the code yields the vital areas for the facil- 
ity being analyzed. The procedures used 
in the computer code can also be carried 
out by hand, depending on the size of the 
fault tree. Sabotage fault trees are dis- 
cussed in more detail in the following 
sections. 
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Figure 4.10 Partial Fault Tree for a Dam. 
In this example, events that can lead to a 
flood are described 



the dam as a result of sabotage. In the sab- 
otage fault tree analysis, the undesired 
event is developed, in turn, until primary 
events terminate each branch of the tree. 
Primary events are individual sabotage 
acts such as the disabling of a pump or the 
severing of a pipe. As an example, Figure 
4.10 is an abbreviated version of a sabo- 
tage fault tree for a dam. In this figure, the 
undesired event is developed into inter- 
mediate events that represent primary 
sources of failure. Each gate in the tree 
represents the logical operation by which 
the inputs combine to produce an output. 
Each branch of the tree is developed by 
identification of the immediate, necessary, 
and sufficient conditions leading to each 
event. 



Sabotage Fault Tree Analysis 



Generic Sabotage Fault Trees 



Sabotage fault tree analysis procedures 
are used to identify the sabotage events 
that, in certain combinations, can lead to 
undesired consequences. A fault tree is a 
logic diagram that graphically represents 
the combinations of component and 
subsystem events that can result in a 
specified undesired system state. The 
undesired state for our example is the 
release of significant amounts of water by 



Many facilities have a number of features 
in common. Because of these common 
characteristics, portions of the sabotage 
fault trees will have very similar struc- 
tures. Generic sabotage fault trees that can 
be applied to a broad spectrum of similar 
facilities can be developed. 

The specific details of facility design 
and layout are usually not common to 
different facilities. The systems used to 
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provide the functions necessary to 
prevent the undesirable event, the sub- 
systems and components comprising 
these systems, and, particularly, the loca- 
tions of components can vary significantly 
from facility to facility. Because of these 
site-specific differences, the details of the 
sabotage fault trees and, consequently, 
the number and locations of vital areas, 
will be different for different facilities, 
even if the operations or processes at 
the facilities are of the same type. General 
procedures have been developed to 
gather appropriate site-specific informa- 
tion and incorporate that information into 
generic sabotage fault trees to produce 
detailed sabotage fault trees for specific 
facilities (Fussell, 1976). The advantages 
of using generic sabotage fault tree proce- 
dures are that they (1) make it unlikely 
that a sabotage event will be overlooked 
in the development of sabotage fault trees 
for specific facilities; (2) reduce the time 
required to develop the specific trees; 
and (3) make it possible for someone with 
minimal knowledge of fault tree analysis 
to develop the detailed trees efficiently. 



Location of Vital Areas 

Once the trees have been made site- 
specific, an analysis is performed on the 
trees to find the combinations of events 
that are sufficient to cause an undesirable 
consequence. Each combination of events 
represents a scenario for sabotaging the 
facility. The next step in vital area identi- 
fication is to find the locations in the 
facility where the sets of events can be 
performed. This is done by associating an 
area (location) with every primary event. 
Then the combinations of events that 
cause sabotage are transformed to com- 
binations of locations from which sabo- 
tage can be accomplished. Typically, 
this transformation reduces the size of 
the tree. 

The next step in the procedure is 
to identify minimum sets of locations 



(minimum critical location sets) that, if 
protected, will prevent an adversary from 
accomplishing sabotage. This is the set of 
locations that, if protected, will interrupt 
all possible sequences leading to the 
event. Clearly, AND functions can greatly 
help in protection of a facility, particu- 
larly if the equipment is located in differ- 
ent areas or sectors of the facility. This is 
true because in order for an output event 
to occur as a result of an AND function, 
all the inputs must be present. This can be 
used to the designer's advantage, if criti- 
cal components can be located some dis- 
tance from each other, because this will 
force the adversary to attack several loca- 
tions simultaneously (requiring more 
people) or attack several locations sequen- 
tially, which takes more time. This sort of 
design has been used in nuclear power 
facilities outside the United States, to 
reduce the probability of a successful 
sabotage event by an adversary. This 
approach may also have some use in 
critical infrastructure protection within 
the United States, such as power, water, 
telecommunications hubs, banks, and 
transportation systems. In choosing 
which sets of locations to protect, such 
things as the cost of protection and the 
impact on operability for each location 
should be considered. Some locations 
may be cheaper and easier to protect, or 
may have less of an operational effect if 
protected. If these areas are part of an 
AND function, selection of areas with 
these characteristics will be preferred. 
Once the fault tree and the protection set 
are generated, this data should be pro- 
tected as sensitive proprietary informa- 
tion with limited distribution. 

In practice, the above procedure is 
carried out using a computer for the 
lengthy manipulation of equations repre- 
senting the fault tree. After the generic 
fault trees have been made site-specific, 
the computer code operates on the 
Boolean representation of the tree to find 
the sets of locations where sabotage can 
occur and the minimal set of locations 
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Minimum Cnncal Location Sets: 
Set of locations to panted to prevent 
adversaiyfrom accomplishing sabotage 



Figure 4.11 Vital Area Identification — 
Boolean Logic Compared to Fault Tree 
Methodology. Fault tree information is 
captured in Boolean logic expressions for 
analysis by hand or using a computer 



that, if protected, will prevent a success- 
ful sabotage attack (Fussell, 1976). These 
computer codes make use of identities 
from Boolean algebra. Figure 4.11 illus- 
trates the connection between Boolean 
algebra operations and the methodology 
just described. 

A complete set of locations to be pro- 
tected can be identified by hand without 
using a computer. In this case, a listing of 
every input to OR gates and any single 
input to AND gates can be used to gener- 
ate location protection sets. 

Summary 



manual listing of targets can be used for 
theft of localized items. For simple facili- 
ties, it can also be used for theft of 
product-in-process and sabotage of criti- 
cal components. 

Vital area identification is a structured 
approach of target identification based on 
logic diagrams called fault trees. Fault tree 
analysis provides a disciplined, logical, 
repeatable method for determining vital 
areas in complex facilities. The sabotage 
fault trees clearly document the assump- 
tions made in the analysis and allow an 
examination of the effect of different sets 
of assumptions on the number and loca- 
tion of vital areas. The results are consis- 
tent in form and level of detail for every 
facility analyzed; therefore, that uniform 
criterion can be applied. The analysis 
identifies the minimum set of areas that 
must be considered as vital and thus will 
help reduce costs of physical security. The 
use of generic sabotage fault trees makes 
it possible to quickly develop detailed 
fault trees for specific complex facilities. 

Once a facility has been characterized, 
the design basis threat determined, and 
targets based on threats and consequences 
identified, the design of the PPS can 
begin. In Part II, the detection, delay, and 
response elements that are applied to 
meet the system objectives will be 
addressed. 



Security Principle 

Target identification is used to determine 
what to protect. Targets may be suscepti- 
ble to theft, sabotage, or personal harm. 
Priorities of targets are based on analysis 
of the consequence of the loss and the 
threat. 



Target identification is the process of 
identifying specific locations, actions, or 
assets to be protected to prevent undesir- 
able consequences. Techniques for target 
identification range from a manual listing 
to a more rigorous logic approach. A 
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Questions 

1. Using the symbols and process des- 
cribed in this chapter, draw a logic 
diagram for some task that you do. 



2. Using the manual listing technique, 
list some theft targets for a few 
selected facilities. List the target 
type, such as computers, people, 
tools, or information, and its loca- 
tion. Note the consequence of the 
loss of the item (use High, Medium, 
or Low). Selected facilities might 
include schools, retail stores, malls, 
museums, water or power utilities, 
and so on. 

3. Discuss how the process of target 
identification could be used at a 
movie theatre, a museum, and the 
local telephone switching station. 
Use Table 4.1 to summarize your 
analysis for each facility. 

4. What sources of information 
could be used to aid in target 
identification? 
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The designer now knows the objectives of 
the PPS, that is, what to protect against 
whom. The next step is to design the 
new system or characterize the existing 
system. If designing a new system, we 
must determine how best to integrate 
people, procedures, and equipment to 
meet the objectives of the system. Once a 
PPS is designed or characterized, it must 
be analyzed and evaluated to ensure it 
meets the physical protection objectives. 
The PPS design must allow the com- 
bination of protection elements working 
together to assure protection rather 
than regarding each feature separately. 
Implementation of the PPS design then 
addresses the systematic and integrated 
protection of assets in anticipation of 
adversary attacks, rather than in reaction 
to attacks after they occur. 

If designing a new PPS, the designer 
must determine how best to combine 
such elements as fences, barriers, sensors, 
procedures, communication devices, and 
security personnel into a PPS that can 
achieve the protection objectives. The 
resulting PPS design should meet these 
objectives within the operational, safety, 
legal, and economic constraints of the 



facility. The primary functions of a PPS 
are detection of an adversary, delay of that 
adversary, and response by security per- 
sonnel (guard force). These functions and 
some of their components are shown in 
Figure 5.1. 

Certain guidelines should be observed 
during the PPS design. A PPS system per- 
forms better if detection is as far from the 
target as possible and delays are near the 
target. In addition, there is close associa- 
tion between detection (using exterior or 
interior sensors) and assessment. It is a 
basic principle of security system design 
that detection without assessment is not 
detection, because without assessment 
the operator does not know the cause of 
an alarm. If the alarm is the result of trash 
blowing across an exterior area or lights 
being turned off in an interior area, there 
is no need for a response, since there is 
no valid intrusion (i.e., by an adversary). 
Another close association is the relation- 
ship between response and response force 
communications. A response force cannot 
respond unless it receives a communica- 
tion call for a response. These and many 
other particular features of PPS compo- 
nents help to ensure that the designer 
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Figure 5.1 Functions of a Physical Pro- 
tection System. The PPS functions in- 
clude detection, delay, and response 



takes advantage of the strengths of each 
piece of equipment and uses equip- 
ment in combinations that allow them to 
complement each other and protect any 
weaknesses. 

Design of the PPS begins with a review 
and thorough understanding of the pro- 
tection objectives that the designed system 
must meet. This can be done simply by 
checking for required features of a PPS, 
such as intrusion detection, entry control, 
access delay, response communications, 
and a protective force. However, a PPS 
design based on required features cannot 
be expected to lead to a high-performance 
system unless those features, when used 
together, are sufficient to assure adequate 
levels of protection. Feature-based designs 
only check for the presence of a particular 
number or type of component, with no 
consideration for how effectively the com- 
ponent will perform during an adversary 
attack. A good PPS is designed using com- 
ponents that have validated performance 
measures established for operation. Com- 
ponent performance measures are com- 
bined into system performance measures 
by the application of system modeling 
techniques. 

Physical Protection System Design 

A system may be defined as a collection 
of components or elements designed to 



achieve an objective according to a plan. 
The ultimate objective of a PPS is to 
prevent the accomplishment of overt or 
covert malevolent actions. Typical objec- 
tives are to prevent sabotage of critical 
equipment, theft of assets or information 
from within the facility, and protection of 
people. A PPS must accomplish its objec- 
tives by either deterrence or a combina- 
tion of detection, delay, and response. 
Listed below are the component subsys- 
tems that provide the tools to perform 
these functions. Each of these component 
subsystems will be discussed in detail in 
the remainder of Part Two. 

Functions and Component Subsystems 

Detection 

Exterior/Interior Intrusion Sensors 

Alarm Assessment 

Alarm Communication and Display 

Entry Control Systems 
Delay 

Access Delay 
Response 

Response Force 

Response Force Communications 

The system functions of detection and 
delay can be accomplished by the use of 
either hardware and/or guards. Guards 
usually handle response, although auto- 
mated response technologies are under 
development. There is always a balance 
between the use of hardware and the use 
of guards. In different conditions and 
applications, one is often the preferable 
choice. The key to a successful system is 
the integration of people, procedures, and 
equipment into a system that protects the 
targets from the threats. This integration 
requires a tradeoff analysis of cost versus 
performance, so if a designer decides to 
use more guards and less hardware, there 
should be a corresponding analysis that 
supports this decision. Keep in mind that 
humans are generally not good detectors, 
while equipment is very good at the rep- 
etition and boredom associated with con- 
stant close monitoring. 
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Detection, delay, and response are all 
required functions of an effective PPS. 
These functions must be performed in this 
order and within a length of time that 
is less than the time required for the 
adversary to complete his or her task. A 
well-designed system provides protection- 
in-depth, minimizes the consequence of 
component failures, and exhibits balanced 
protection. In addition, a design process 
based on performance criteria rather than 
feature criteria will select elements and 
procedures according to the contribution 
they make to overall system performance. 
Performance criteria are also measurable, 
so they can help in the analysis of the 
designed system. 

PPS Functions 

The primary PPS functions are detection, 
delay, and response. It is essential to con- 
sider the system functions in detail, since 
a thorough understanding of the defini- 
tions of these functions and the measure 
of effectiveness of each is required to eval- 
uate the system. It is important to note that 
detection must be accomplished for delay 
to be effective. Recall that the highest 
priority system goal is to protect critical 
assets from theft or sabotage by a malevo- 
lent adversary. For a system to be effective 
at this objective, there must be notification 
of an attack (detection), then adversary 
progress must be slowed (delay), which 
will allow the response force time to inter- 
rupt or stop the adversary (response). 



Detection 



2. The information from the sensor and 
assessment subsystems is reported 
and displayed. 

3. A person assesses information and 
judges the alarm to be valid or 
invalid. If assessed as a nuisance 
alarm, detection has not occurred. 
Therefore, detection without assess- 
ment is not considered detection. 
Assessment is the process of deter- 
mining whether the source of the 
alarm is due to an attack or a nui- 
sance alarm. 

These events are depicted in Figure 5.2 
and show that detection is not an instan- 
taneous event. Included in the detection 
function of physical protection is entry 
control. Entry control allows entry to 
authorized personnel and detects the 
attempted entry of unauthorized person- 
nel and material. The measures of effec- 
tiveness of entry control are throughput, 
false acceptance rate, and false rejection 
rate. Throughput is defined as the number 
of authorized personnel allowed access 
per unit time, assuming that all personnel 
who attempt entry are authorized for 
entrance. False acceptance is the rate at 
which false identities or credentials are 
allowed entry, while false rejection rate is 
the frequency of denying access to autho- 
rized personnel. 

The measures of effectiveness for the 
detection function are the probability 
of sensing adversary action, the time 
required for reporting and assessing the 
alarm, and nuisance alarm rate. A sensor 
activates at time T , then at a later time a 
person receives information from the 



Detection is the discovery of an adversary 
action. It includes sensing of covert or 
overt actions. In order to discover an 
adversary action, the following events 
need to occur: 

1. A sensor reacts to a stimulus and ini- 
tiates an alarm. 



Sensor L.jv 
Activated r 1 " 



1, 



Alarm 



u 



Alarm 
Assessed 



Figure 5.2 Detection Functions in a PPS. 
Detection starts with sensor activation 
and ends with assessment of the alarm to 
determine the cause 
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Assessment Time 



* Probability that sensor alarms 

Figure 5.3 Relationship between Assess- 
ment Time and Probability of Detection. 
The probability of detection will decrease 
as assessment time increases 



sensor and assessment subsystems. If the 
time delay between when the sensor acti- 
vates and when the alarm is assessed is 
short, the probability of detection, P D , will 
be close to the probability that the sensor 
will sense the unauthorized action, P s . 
The probability of detection decreases as 
the time before assessment increases. 
Figure 5.3 shows that a long time delay 
between detection and assessment lowers 
the probability of detection, because the 
more time required to make an accurate 
assessment, the less likely it will be that 
the cause of the alarm is still present. For 
example, if sensor alarms are assessed by 
sending a guard to the sensor location, by 
the time the guard arrives there may no 
longer be an obvious alarm source. In this 
case, the delay between sensor initiation 
and assessment was so lengthy that no 
assessment could be made. This is why P D 
decreases. In addition, the delay between 
detection and assessment favors the 
adversary due to the further progression 
of the adversary toward the target before 
the response force has been notified of an 
attack. 

Response force personnel can also 
accomplish detection. Guards at fixed 
posts or on patrol may serve a vital role in 



sensing an intrusion. An effective assess- 
ment system provides two types of in- 
formation associated with detection: 
information about whether the alarm is a 
valid alarm or a nuisance alarm, and 
details about the cause of the alarm — 
what, who, where, and how many. 
However, even when assisted by a video- 
assessment system, humans do not make 
good detectors. Studies have shown that 
brief instances of movement are missed by 
48% of human observers using video 
monitors (Tickner and Poulton, 1973). 

An additional performance measure of 
sensors is the nuisance alarm rate. A nui- 
sance alarm is any alarm that is not 
caused by an intrusion. In an ideal sensor 
system, the nuisance alarm rate would be 
zero. However, in the real world all 
sensors interact with their environment, 
and they cannot discriminate between 
intrusions and other events in their detec- 
tion zone. This is why an alarm assess- 
ment system is needed: not all sensor 
alarms are caused by intrusions. 

Usually nuisance alarms are further 
classified by source. Both natural and 
industrial environments can cause nui- 
sance alarms. Common sources of natural 
noise are vegetation (trees and weeds), 
wildlife (animals and birds), and weather 
conditions (wind, rain, snow, fog, light- 
ning). Industrial sources of noise include 
ground vibration, debris moved by wind, 
and electromagnetic interference. False 
alarms are those nuisance alarms gener- 
ated by the equipment itself (whether by 
poor design, inadequate maintenance, or 
component failure). 



Delay 

Delay is the second function of a PPS. 
It is the slowing down of adversary 
progress. Delay can be accomplished by 
people, barriers, locks, and activated 
delays. The response force can be con- 
sidered elements of delay if they are in 
fixed and well-protected positions. The 
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Figure 5.4 Delay Function. Delay compo- 
nents include barriers and members of the 
response force. Barriers include active 
and passive barriers 



measure of delay effectiveness is the time 
required by the adversary (after detection) 
to bypass each delay element. Although 
the adversary may be delayed prior to 
detection, this delay is of no value to the 
effectiveness of the PPS since it does not 
provide additional time to respond to the 
adversary. Delay before detection is pri- 
marily a deterrent. There are some situa- 
tions where barriers are placed before 
detection; however, this application is 
meant to force adversaries to change or 
abandon their tactic. For example, the use 
of speed bumps or placement of jersey 
bounce barriers along the sides of a road 
will slow down or prevent an adversary in 
a vehicle from leaving the road. Figure 
5.4 summarizes the function of delay in 
a PPS. 

Response 

The response function consists of the 
actions taken by the response force to 
prevent adversary success. Response, as it 
is used here, consists of interruption. 
Interruption is defined as a sufficient 
number of response force personnel arriv- 
ing at the appropriate location to stop the 
adversary's progress. It includes the com- 
munication to the protection force of 
accurate information about adversary 
actions and the deployment of the re- 
sponse force. The measure of response 
force effectiveness is the time between 



Figure 5.5 Response Function. Response 
components include communication, pro- 
per deployment of the response force, and 
interruption of the adversary prior to at- 
tack completion 



receipt of a communication of adversary 
action and the interruption of the adver- 
sary action (response force time). The PPS 
response function is shown in Figure 5.5. 
An additional measure of response force 
effectiveness, neutralization, is also used 
in some high-security applications. Neu- 
tralization is a measure of the outcome of 
a force-on-force confrontation between 
the response force and adversaries. This 
type of response is rarely seen in in- 
dustrial applications. This concept will 
be discussed further in Chapter 12, 
"Response." 

The effectiveness measures for response 
communication are the probability of 
accurate communication and the time 
required for communication. The time 
after information is initially transmitted 
may vary considerably depending on 
the method of communication. After 
the initial period, the probability of val- 
id communication begins to increase rap- 
idly. As shown in Figure 5.6, with 
each repeat, the probability of correct 
and current data being communicated is 
increased. There can be some delay in 
establishing accurate communication due 
to human behavior. On the first attempt to 
communicate, the operator is alerted that 
there is a call, but may not have heard all 
the relevant information. Then a request 
for a second transmission is made to 
repeat the information, and finally, the 
operator understands the call and asks for 
clarification. 

Deployment describes the actions of the 
protective force from the time communi- 
cation is received until the force is in 
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Probability of correct communication 
increases with each transmission of 
information. 
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Figure 5.6 Variation of Probability of 
Communication with Time. As the time 
to establish accurate communication in- 
creases, the probability of communication 
increases 



position to interrupt the adversary. The 
effectiveness measure of this function 
is the probability of deployment to the 
adversary location and the time required 
to deploy the response force. 
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Figure 5.7 Interrelationship of PPS Func- 
tions. Detection begins upon receipt of 
the first alarm and ends when the alarm 
is assessed. The delay function slows 
down the adversary in order to allow 
the response force time to deploy. The 
PPS must provide enough time for the 
response force to stop the adversary from 
successfully completing the task 



Relationship of PPS Functions 

Figure 5.7 shows the relationships be- 
tween adversary task time and the time re- 
quired for the PPS to do its job. The total 
time required for the adversary to accom- 
plish the goal has been labeled Adversary 
Task Time. It is dependent upon the delay 
provided by the PPS. The adversary may 
begin the task at some time before the first 
alarm occurs, which is labeled on the 
diagram as T . The adversary task time is 
shown by a dashed line before this point 
because delay is not effective before 
detection. After the alarm, the alarm infor- 
mation must be reported and assessed to 
determine if the alarm is valid. The time 
at which the alarm is assessed to be valid 
is labeled T A , and at this time the location 
of the alarm must be communicated to the 
members of the response force. Further 
time is then required for the response 



force to respond in adequate numbers and 
with adequate equipment to interrupt 
adversary actions. The time at which 
the response force interrupts adversary 
actions is labeled T b and adversary task 
completion time is labeled T c . Clearly, in 
order for the PPS to accomplish its objec- 
tives, Tt must occur before T c . It is equally 
clear that detection (the first alarm) 
should occur as early as possible and T 
(as well as T A and T|] should be as far to 
the left on the time axis as possible. 

Characteristics of an Effective PPS 

The effectiveness of the PPS functions of 
detection, delay, and response and their 
relationships have been discussed. In 
addition, all of the hardware elements of 
the system must be installed, maintained, 
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and operated properly. The procedures of 
the PPS must be compatible with the facil- 
ity procedures and integrated into the PPS 
design. Training of personnel in policies, 
procedures, and operation of equipment 
is also important to system effectiveness. 
Security, safety, and operational objec- 
tives must be accomplished at all times. 
A well-engineered PPS will exhibit the 
following characteristics: 

• protection-in-depth 

• minimum consequence of compo- 
nent failure 

• balanced protection 

Protection-in-Depth 

Protection-in-depth means that to accom- 
plish the goal, an adversary should be 
required to avoid or defeat a number 
of protective devices in sequence. For 
example, an adversary might have to 
defeat one sensor and penetrate two sep- 
arate barriers before gaining entry to a 
process control room or a filing cabinet in 
the project costing area. The actions and 
times required to penetrate each of these 
layers may not necessarily be equal, and 
the effectiveness of each may be quite dif- 
ferent, but each will require a separate 
and distinct act by the adversary moving 
along the path. The effect produced on 
the adversary by a system that provides 
protection-in-depth will be: 

• to increase uncertainty about the 
system 

• to require more extensive prepara- 
tions prior to attacking the system 

• to create additional steps where the 
adversary may fail or abort the 
mission 

Minimum Consequence of 
Component Failure 

It is unlikely that a complex system will 
ever be developed and operated that does 



not experience some component failure 
during its lifetime. Causes of component 
failure in a PPS are numerous and can 
range from environmental factors (which 
may be expected) to adversary actions 
beyond the scope of the threat used in the 
system design. Although it is important to 
know the cause of component failure in 
order to restore the system to normal oper- 
ation, it is more important that contin- 
gency plans are provided so the system 
can continue to operate. Requiring por- 
tions of these contingency plans to be 
carried out automatically (so that redun- 
dant equipment automatically takes over 
the function of disabled equipment) may 
be highly desirable in some cases. An 
example of this is the presence of backup 
power at a facility. In the event that an 
adversary disables the primary power 
source, generators or batteries can be used 
to power the security system. Some com- 
ponent failures may require aid from 
sources outside of the facility in order 
to minimize the impact of the failure. 
One example of this is the use of local 
law enforcement to supplement airport 
security personnel at times of higher 
alert status. In this case, the component 
failure is the temporary lack of suffi- 
cient response forces under new threat 
conditions. 



Balanced Protection 

Balanced protection means that no matter 
how an adversary attempts to accomplish 
the goal, effective elements of the PPS will 
be encountered. Consider, for example, 
the barrier surface that surrounds a room. 
This surface may consist of: 

• walls, floors, and ceilings of several 
types 

• doors of several types; equipment 
hatches in floors and ceilings 

• heating, ventilating, and air condi- 
tioning openings with various types 
of grilles 
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For a completely balanced system, the 
minimum time to penetrate each of these 
barriers would be equal, and the min- 
imum probability of detecting penetration 
of each of these barriers should be equal. 
However, complete balance is probably 
not possible or desirable. Certain ele- 
ments, such as walls, may be extremely 
resistant to penetration, not because of 
physical protection requirements, but due 
to structural or safety requirements. Door, 
hatch, and grille delays may be consider- 
ably less than wall delays and still be 
adequate. There is no advantage in over- 
designing by installing a costly door that 
would take several minutes to penetrate 
with explosives, if the wall with the door 
were standard dry wall, which could be 
penetrated in a few seconds with hand 
tools. 

Finally, features designed to protect 
against one form of threat should not 
be eliminated because they overprotect 
against another threat. The objective 
should be to provide adequate protection 
against all threats on all possible paths 
and to maintain a balance with other con- 
siderations, such as cost, safety, or struc- 
tural integrity. 

Design Criteria 

Any design process must have criteria 
against which elements of the design will 
be evaluated. A design process based on 
performance criteria will select elements 
and procedures according to the contri- 
bution they make to overall system per- 
formance. The effectiveness measure will 
be overall system performance. By estab- 
lishing a measure of overall system 
performance, these values may be com- 
pared for existing (baseline) systems and 
upgraded systems and the amount of 
improvement determined. This increase 
in system effectiveness can then be com- 
pared to the cost of implementation of 
the proposed upgrades and a cost/benefit 
analysis can be supported. 



A feature criteria approach selects ele- 
ments or procedures to satisfy require- 
ments that certain items are present. The 
effectiveness measure is the presence 
of those features. The use of a feature 
criteria approach in regulations or re- 
quirements that apply to a PPS should 
generally be avoided or handled with 
extreme care. Unless such care is exer- 
cised, the feature criteria approach can 
lead to the use of a checklist method to 
determine system adequacy, based on the 
presence or absence of required features. 
This is clearly not desirable, since over- 
all system performance is of interest, 
rather than the mere presence or absence 
of system features or components. For 
example, a performance criterion for a 
perimeter detection system would be that 
the system be able to detect a running 
intruder using any attack method. A 
feature criterion for the same detection 
system might be that the system includes 
two specific sensor types, such as motion 
detection and a fence sensor. 

The conceptual design techniques pre- 
sented in this text are based on a perfor- 
mance-based approach to meeting the PPS 
objectives. Much of the component tech- 
nology material will, however, be appli- 
cable for either performance criteria or 
feature criteria design methods. 

The performance measures for the PPS 
functions are: 

Detection 

• Probability of detection 

• Time for communication and assess- 
ment 

• Frequency of nuisance alarms 
Delay 

• Time to defeat obstacles 
Response 

• Probability of accurate communica- 
tion to response force 

• Time to communicate 

• Probability of deployment to adver- 
sary location 

• Time to deploy 

• Response force effectiveness 
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Additional Design Elements 



As emphasized above, an effective PPS 
will combine people, procedures, and 
equipment into an integrated system that 
will protect assets from the expected 
threat. The use of people and technology 
components are important design tools 
that often form the basis for protection 
systems. The use of procedures as pro- 
tection elements cannot be overstated. 
Procedural changes can be cost-effective 
solutions to physical protection issues, 
although when used by themselves they 
will only protect assets from the lowest 
threats. Procedures include not only the 
operational and maintenance procedures 
previously described, but also the training 
of facility personnel in security awareness 
and of guards or other response forces 
in when and how to stop an adversary. 
Another procedural design tool is the use 
of investigations. Investigation may be the 
response to a loss event or may be used to 
anticipate a threat, such as in background 
investigations of potential employees. 
Regardless of how the investigation tool 
is used, it is an important design ele- 
ment in a PPS and should be used when 
appropriate. Of course, for critical high- 
consequence loss assets, an investigation 
after the fact may be too late. In these 
cases, more immediate responses will be 
required to prevent loss of or damage to 
the critical asset. 

In addition to use of the investigative 
tool, some corporations axe applying more 
resources to the use of technical surveil- 
lance countermeasures, such as sweeps 
and searches for electronic bugging 
devices. This is an additional aspect of a 
security system that, like executive pro- 
tection, must be part of an integrated 
approach to asset protection. The use of 
hotels and other nonproprietary sites for 
seminars or meetings provides the oppor- 
tunity for industrial espionage. For these 
threats, a security manager may choose to 
send personnel to the meeting location 



and assure that a room or area is free 
of any recording or other surveillance 
equipment. Technical surveillance tech- 
niques may also be used within a facility, 
either on a daily basis or for some special 
events, such as on-site Board of Directors 
meetings, to prevent theft of information. 

The performance measures for investi- 
gative and technical surveillance tech- 
niques do not lend themselves to quan- 
tification as readily as technical protec- 
tion elements. In these cases, discovery of 
the person responsible for the theft or 
damage or the presence of surveillance 
devices serves as the measure of perfor- 
mance for the design element. These tools 
are very useful, but may not be sufficient 
for protection of critical assets at sites. As 
with any design, the design elements used 
to achieve the protection system objec- 
tives will depend on the threat, the likeli- 
hood of an attack, and the consequence of 
loss of the asset. 

There are a wide variety of procedural 
elements that can be incorporated into an 
effective system design at a facility. These 
are too numerous to be listed in detail here, 
but as general guidelines, procedures can 
supplement a good technical design and 
training. Procedures that can be consid- 
ered, depending on the threat and the 
value of the asset, include shredding of all 
papers before disposal, locking procedures 
for safes, password control and update for 
computer systems, random drug searches 
in accordance with company policies 
and legal requirements, periodic audits 
of employee computer files, and issuing 
parking permits to employees and autho- 
rized visitors. Regardless of the type of 
procedure that is used, these procedures 
are another design tool that falls into one 
of the three functions of a good PPS — 
detection, delay, and response. 

Summary 

This chapter covers the use of a systematic 
and measurable approach to the design 
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of a PPS. It emphasizes the concept of 
detection, followed by delay and response, 
and presents a brief description of the rela- 
tionship of these functions. Specific per- 
formance measures of various components 
of a PPS are described, as well as desired 
characteristics of a good PPS, includ- 
ing protection-in-depth, minimum conse- 
quence of component failures, and bal- 
anced protection. The process stresses 
the use of integrated systems combining 
people, procedures, and equipment to 
meet the protection objectives. Emphasis 
is placed on the design of performance- 
based systems, rather than feature-based, 
since systems based on performance will 
indicate how successful the design is at 
meeting the protection objectives, not just 
the presence or absence of components. 
The use of performance measures will 
also enable a cost/benefit analysis that can 
compare increased system effectiveness 
to cost of implementation. 

Security Principles 

The functions of a PPS are detection, 
delay, and response. They represent the 
integration of people, procedures, and 
equipment to meet the system objectives. 

Detection is placed before delay, with 
detection most effective at the peri- 
meter and delay more effective at the 
target. Detection is not complete without 
assessment. 

The total time for detection, delay, and 
response must be less than the adversary's 
task time to protect critical assets. 

Characteristics of a good PPS are 
protection-in-depth, minimizing the ef- 
fect of component failure, and balanced 
protection. 



Performance-based design criteria are 
better than feature-based when measuring 
overall system effectiveness. 
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Questions 



1. It is often said that the role of phys- 
ical protection is to encourage the 
adversary to attack someone else's 
plant. Is that the role of physical pro- 
tection? Explain. 

2. If all analyses point out that the 
earlier the adversary is detected, the 
better our chances of defeating him 
or her, then what prevents us from 
moving sensors out to the very limits 
of our property? 

3. Explain the difference between al- 
arm communication and response 
communication? 

4. If we were to use guard towers 
around the site, which of the PPS 
system functions (detection, delay, 
or response) would be enhanced the 
most? 

5. What is the advantage of a system 
with protection-in-depth compared 
to one that is very secure at one 
level? 

6. Explain balanced protection. 

7. What is the difference between 
performance criteria and feature 
criteria? 
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Intrusion detection systems consist of 
exterior and interior intrusion sensors, 
video alarm assessment, entry control, and 
alarm communication systems all working 
together. Exterior sensors are those used 
in an outdoor environment, and interior 
sensors are those used inside buildings. 

Intrusion detection is defined as the 
detection of a person or vehicle attempt- 
ing to gain unauthorized entry into an area 
that is being protected by someone who 
is able to authorize or initiate an appro- 
priate response. The intrusion detection 
boundary is ideally a sphere enclosing the 
item being protected so that all intrusions, 
whether by surface, air, underwater, or 
underground, are detected. The develop- 
ment of exterior intrusion detection tech- 
nology has emphasized detection on or 
slightly above the ground surface, with 
increasing emphasis being placed on air- 
borne intrusion. This chapter will primar- 
ily cover ground-level intrusion. 

Performance Characteristics 

Intrusion sensor performance is described 
by three fundamental characteristics — 



probability of detection (P D ), nuisance 
alarm rate, and vulnerability to defeat. An 
understanding of these characteristics is 
essential for designing and operating an 
effective intrusion sensor system. 



Probability of Detection 

For the ideal sensor, the P D of an intrusion 
is one (1.0). However, no sensor is ideal, 
and the P D is always less than 1. The way 
that P D is calculated does not allow a P D 
of 1, Even with thousands of tests, the P D 
only approaches 1. For any specific sensor 
and scenario (for example, a specific facil- 
ity at night, in clear weather, a crawling 
attacker), the two values P D and confi- 
dence level (CJ are used to describe the 
effectiveness of the sensor. The sensor 
will detect the intrusion with probability 
of detection P D for confidence level C L . 
This means that, based upon test results 
and with probability C L the sensor's true, 
but unknown, probability of detection is 
at least P D . For an ideal sensor the P D 
would be 1.0 with a C L of 1.0 or 100%. In 
reality, a P D or a C L equal to 1.0 will not 
occur, because complete knowledge of a 
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sensor's effectiveness is never achieved. 
Also, the pair (P D , CJ is not unique; based 
upon the same test results, it is possible 
to calculate different P D s for different C L s. 
Most commonly, values of 90%, 95%, or 
even 99% are used for C L , although a 
value of 99% would require very exten- 
sive testing. Although technically incor- 
rect, manufacturers will often state values 
of P D without stating the corresponding 
value of C L . When this happens, it is rea- 
sonable to assume that they are inferring 
a value of at least 90% for C L . 

The probability of detection depends 
primarily upon: 

• target to be detected (i.e., a walking, 
running, or crawling intruder; tun- 
neling; etc.) 

• sensor hardware design 

• installation conditions 

• sensitivity adjustment 

• weather conditions 

• condition of the equipment 

All of the above conditions can vary, and 
thus, despite the claims of some sensor 
manufacturers, a specific P D cannot be 
assigned to each component or set of 
sensor hardware. Due to this variation, 
any P D assigned to a sensor is conditional, 
based on the assumptions made about the 
conditions in which the sensor operates. 
For example, an intrusion sensor may 
have one P D for a low-level threat such as 
a vandal, and another lower P D against 
a more sophisticated threat. This is an 
area where the design basis threat drives 
system design. If the design basis threat is 
three criminals with considerable knowl- 
edge and skill, it would be better to use a 
sensor that has a higher P D , since we are 
faced with a more capable adversary. If the 
threat is expected to be teenagers vandal- 
izing property, a lower P D can be tolerated, 
since the threat is correspondingly less. 
Similarly, it would be impractical to use a 
microwave sensor in an area that received 
deep snow accumulation during the 
winter, since this could allow an adver- 



sary to tunnel undetected into the facility 
through the snow. For these reasons, 
sensor selection must be matched to the 
application and environment. 

It is important that the system designer 
specify the detection criteria required or 
expected of a sensor or sensor system. 
This specification should be clear as to 
what will be detected, what actions are 
expected, any other considerations such 
as weight or speed of movement, and 
what P D is required. An example of a 
detection criterion might be: the perime- 
ter intrusion detection system shall be 
capable of detecting a person, weighing 
35 kilograms or more, crossing the detec- 
tion zone by walking, crawling, jumping, 
running, or rolling, at speeds between 
0.15 and 5 meters per second, or climbing 
the fence at any point in the detection 
zone, with a detection probability of 90% 
at 95% confidence. This represents a clear 
and measurable set of conditions, not just 
a statement such as "successful detection 
should occur most of the time." Notice 
that the former specification is clear that 
the system will perform as expected with 
the implication that this should happen 
day or night, good weather or bad, while 
the latter will be hard to objectively 
measure. When a high P D is required 24 
hours a day under all expected weather 
conditions, the use of multiple sensors 
is recommended. Contingency plans and 
procedures should exist so that compen- 
satory measures can be implemented in 
the event of loss of any or all sensors. 



Nuisance Alarm Rate (NAR) 

A nuisance alarm is any alarm that is not 
caused by an intrusion. Nuisance alarm 
rate is a function of the number of nui- 
sance alarms over a given time period. In 
an ideal sensor system, the nuisance 
alarm rate would be zero (0.0). However, 
in the real world all sensors interact with 
their environment, and they cannot dis- 
criminate between adversary intrusions 
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and other events in their detection zone. 
This is why an alarm assessment system 
is needed — not all sensor alarms are 
caused by intrusions. This is also why it 
is ineffective to have the guard force 
respond to every alarm. Assessment, then, 
serves the purpose of determining the 
cause of the alarm, and whether or not it 
requires a response. This is why we say 
that detection is not complete without 
assessment. 

Usually nuisance alarms are further 
classified by source. Both natural and 
industrial environments can cause nui- 
sance alarms. Common sources of natural 
noise are vegetation (trees and weeds), 
wildlife (animals and birds), and weather 
conditions (wind, rain, snow, fog, light- 
ning). Industrial sources of noise include 
ground vibration, debris moved by wind, 
and electromagnetic interference. 

False alarms are those nuisance alarms 
generated by the equipment itself (wheth- 
er by poor design, inadequate mainte- 
nance, or component failure). Different 
types of intrusion sensors have different 
sensitivities to these nuisance or false 
alarm sources, as is discussed in detail 
later in this chapter. 

As with P D , it is important to specify 
an acceptable false alarm rate (FAR). For 
example, the FAR for the total perimeter 
intrusion system shall not average more 
than one false alarm per week, per zone, 
while maintaining a P D of 0.9. This state- 
ment is much more meaningful than: a 
higher FAR and NAR may be tolerated if 
this does not result in system degradation. 
In this case, system degradation takes on 
a very subjective meaning and so becomes 
harder to measure. Establishing specific 
values for false alarm rates also helps the 
operator determine when a sensor should 
be reported to maintenance personnel. 



Vulnerability to Defeat 

An ideal sensor could not be defeated; 
however, all existing sensors can be 



defeated. Different types of sensors and 
sensor models have different vulnerabil- 
ities to defeat. The objective of the PPS 
designer is to make the system very diffi- 
cult to defeat. There are two general ways 
to defeat the system: 

• Bypass — Because all intrusion sen- 
sors have a finite detection zone, 
any sensor can be defeated by going 
around its detection volume. 

• Spoof — Spoofing is any technique 
that allows the target to pass through 
the sensor's normal detection zone 
without generating an alarm. 

Sensor Classification 

There are several ways of classifying the 
many types of exterior intrusion sensors. 
In this discussion, five methods of clas- 
sification are used: 

• passive or active 

• covert or visible 

• line-of-sight or terrain-following 

• volumetric or line detection 

• application 

Passive or Active 

Passive sensors detect some type of 
energy that is emitted by the target of 
interest, or detect the change of some 
natural field of energy caused by the 
target. Examples of the former are me- 
chanical energy from a human walking on 
the soil or climbing on a fence. An 
example of the latter is a change in the 
local magnetic field caused by the pres- 
ence of a metal. Passive sensors utilize a 
receiver to collect the energy emissions. 
Passive sensor technologies include those 
based on vibration, heat, sound, and 
capacitance. 

Active sensors transmit some type of 
energy and detect a change in the received 
energy created by the presence or motion 



66 



Design Physical Protection System 



of the target. They generally include both 
a transmitter and a receiver and include 
microwave, infrared, and other radio fre- 
quency (RF) devices. 

The distinction of passive or active has 
a practical importance. The presence or 
location of a passive sensor is more diffi- 
cult to determine than that of an active 
sensor since there is no energy source 
for the adversary to locate; this puts the 
intruder at a disadvantage. In environ- 
ments with explosive vapors or materials, 
passive sensors are safer than active ones 
because no energy that might initiate 
explosives is emitted. Active sensors, 
because of their stronger signals, more 
effectively eliminate nuisance alarms. 

Covert or Visible 

Covert sensors are hidden from view; 
examples are sensors that are buried in 
the ground. Visible sensors are in plain 
view of an intruder; examples are sensors 
that are attached to a fence or mounted on 
another support structure. Covert sensors 
are more difficult for an intruder to detect 
and locate, and thus they can be more 
effective; also, they do not affect the 
appearance of the environment. Visible 
sensors may, however, deter the intruder 
from acting. Visible sensors are typically 
simpler to install and easier to repair and 
maintain than covert ones. 

Line-of-Sight or Terrain-Following 

Line-of-sight (LOS) sensors perform ac- 
ceptably only when installed with a 
clear LOS in the detection space. This 
usually means a clear LOS between the 
transmitter and receiver for active sen- 
sors. These sensors normally require a 
flat ground surface, or at least a clear LOS 
from each point on the ground surface to 
both the transmitter and receiver. The use 
of LOS sensors on sites without a flat 
terrain requires extensive site preparation 
to achieve acceptable performance. 



Terrain-following sensors detect equally 
well on flat and irregular terrain. The 
transducer elements and the radiated field 
follow the terrain and result in uniform 
detection throughout the detection zone. 



Volumetric or Line Detection 

Volumetric sensors detect intrusion in a 
volume of space. An alarm is generated 
when an intruder enters the detection 
volume. The detection volume is gener- 
ally not visible and is hard for the intruder 
to identify precisely. 

Line detection sensors detect along a 
line. For example, sensors that detect 
fence motion are mounted directly on the 
fence. The fence becomes a line of detec- 
tion, since an intruder will not be 
detected while approaching the fence; 
detection occurs only if the intruder 
moves the fence fabric where the sensor 
is attached. The detection zone of a 
line detection sensor is usually easy to 
identify. 



Application 

In this classification method, the sensors 
are grouped by mode of application in the 
physical detection space. These modes 
are: 

• buried line, in which the sensor is in 
the form of a line buried in the 
ground; 

• fence-associated, in which the sensor 
either is mounted on a fence or forms 
a sensor fence; 

• freestanding, being neither buried 
nor associated with a fence, but 
mounted on a support in free space. 



Sensor Technology 



In this chapter, sensors are grouped by 
their modes of application. Table 6.1 sum- 
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Table 6.1 Types of Exterior Sensors 


and Characteristics. 
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marizes the different exterior intrusion 
sensor technologies according to the 
different sensor classification schemes. 
Many sensor technology reviews have 
been published and supplement the 
material presented in this chapter 
(Barnard, 1988; Cumming, 1992; 
Fennelly, 1996; Williams, 1988). 

Buried-Line Sensors 

At present there are four types of buried- 
line sensors that depend on different 
sensing phenomena: pressure or seismic 
sensors, magnetic field sensors, ported 
coaxial cable sensor, and fiber-optic 
sensors. 

Pressure or Seismic 

Pressure or seismic sensors are passive, 
covert, terrain-following sensors that are 
buried in the ground. They respond to dis- 
turbances of the soil caused by an intruder 
walking, running, jumping, or crawling 
on the ground. Pressure sensors are gen- 
erally sensitive to lower frequency pres- 
sure waves in the soil, and seismic 



sensors are sensitive to higher frequency 
vibration of the soil. 

A typical pressure sensor consists of 
a reinforced hose that is filled with a 
pressurized liquid and connected to a 
pressure transducer. A balanced pressure 
system consists of two such hoses con- 
nected to a transducer to permit differen- 
tial sensing and to reduce nuisance alarms 
from seismic sources located far away. 

A typical seismic sensor consists of a 
string of geophones. A geophone consists 
of a conducting coil and a permanent 
magnet. Either the coil or the magnet is 
fixed in position, and the other is free to 
vibrate during a seismic disturbance. In 
both cases, an electrical current is gener- 
ated in the coil. Far-field effects in seismic 
sensors can be reduced by alternating the 
polarity of the coils in the geophone 
string. 

The sensitivity of this type of sensor is 
very dependent on the type of soil in 
which it is buried. The best burial depth 
is also dependent on the soil. The trade- 
off is high probability of detection with 
narrow detection width at a shallow 
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depth, versus lower probability of detec- 
tion with wider detection width at a 
greater depth. A test conducted on site 
with short test sections of the sensor 
buried at different depths is recom- 
mended to determine the optimum depth. 
A typical detection width is in the range 
of 3 to 6 feet. 

Pressure and seismic sensors tend to 
lose sensitivity in frozen soil. Thus, at 
sites where the soil freezes in winter, 
either reduced winter sensitivity must be 
accepted, or a semiannual adjustment to 
pressure and seismic sensors must be 
made to obtain equivalent sensitivity 
throughout the year. 

Many sources of seismic noise may 
affect these sensors and cause nuisance 
alarms. The primary natural source of 
nuisance alarms is wind energy that is 
transmitted into the ground by fences, 
poles, and trees. Seismic sources made 
by humans include vehicular traffic 
(cars, trucks, trains) and heavy industrial 
machinery. Forklifts, which do not have 
the typical suspension found on other 
types of vehicles, generate a lot of seismic 
noise. Because these sensors are passive 
and buried, movement above the ground 
is not detected. If the location of the 
buried-line sensor is known, an adversary 
may defeat this sensor by forming a low 
bridge over the transducer line. 

Magnetic Field 

Magnetic field sensors are passive, covert, 
terrain-following sensors that are buried 
in the ground. They respond to a change 
in the local magnetic field caused by the 
movement of nearby metallic material. 
Thus magnetic field sensors are effective 
for detecting vehicles or intruders with 
weapons. 

This type of sensor consists of a series 
of wire loops or coils buried in the 
ground. Movement of metallic material 
near the loop or coil changes the local 
magnetic field and induces a current. 
Magnetic field sensors can be suscepti- 
ble to local electromagnetic disturbances 



such as lightning. Intruders who are not 
wearing or carrying any metal will be able 
to defeat this type of sensor. Magnetic 
field sensors are primarily used to detect 
vehicle traffic. 

Ported Coaxial Cables 

Ported coaxial cable sensors are active, 
covert, terrain-following sensors that are 
buried in the ground. They are also 
known as leaky coax or radiating cable 
sensors. This type of sensor responds to 
motion of a material with a high dielectric 
constant or high conductivity near the 
cables. These materials include both the 
human body and metal vehicles. Figure 
6.1 shows the installation of one type of 
ported coaxial cable. 

The name of this sensor is derived from 
the construction of the transducer cable. 
The outer conductor of this coaxial cable 
does not provide complete shielding for 
the center conductor, and thus some of the 
radiated signal leaks through the ports 
of the outer conductor. The detection 
volume of ported coax sensors extends 
significantly above the ground: about 1.5 
to 3.0 feet above the surface, and about 3 




Figure 6.1 Installation of Ported Coaxial 
Cable. This type of ported coax uses two 
cables and is installed with one cable in 
each trench. The trenches must be con- 
sistently spaced and flat. Usually the 
trench bottom is partially filled with sand 
prior to laying the cable 
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to 6 feet wider than the cable separation. 
The sensitivity of this type of sensor 
in frozen soil actually increases slightly 
relative to thawed conditions. This is 
because some of the field energy is 
absorbed by conductive soil, and the con- 
ductivity of frozen ground is less than that 
of thawed ground. 

Metal or water in the ported coax detec- 
tion zone can cause two types of sensor 
problems. Moving metal objects and 
moving water are large targets for ported 
coax sensors and thus are a major poten- 
tial source of nuisance alarms. Both 
flowing water and standing water (pri- 
marily flowing water) contribute to this 
problem. The second problem is that fixed 
metal objects and standing water distort 
the radiated field, possibly to the extent 
of creating insensitive areas with no 
detection. Nearby metal objects or utility 
lines should be excluded from the detec- 
tion volume. This includes above-ground 
fences and poles, and underground water 
lines and electrical cables. 

The P D of ported coaxial cable is 
affected by the ported coaxial cable 
processor settings, orientation of the 
intruder, soil characteristics, and the pres- 
ence of metallic objects. Large amounts of 
salt or metals in the soil will also degrade 
performance of this sensor. 

Fiber-Optic Cables 

Optical fibers are long, hair-like strands of 
transparent glass or plastic. Fiber-optics is 
the class of optical technology that uses 
these transparent fibers to guide light from 
one end to the other. As light travels 
through the fiber, it remains in the clear 
plastic core by reflecting off the surface 
of cladding material that has a different 
refraction index. Thus the fiber becomes a 
"light-pipe." 

The fiber does not have to be straight 
since light reflects off a curved or straight 
surface. The light diffraction (speckle) 
pattern and the light intensity at the end 
of the fiber are a function of the shape of 
the fiber over its entire length. Even the 



slightest change in the shape of the fiber 
can be sensed using sophisticated sensors 
and computer signal processing at the far 
end (100 yards or more). Thus a single 
strand of fiber-optic cable, buried in the 
ground at the depth of a few centimeters, 
can very effectively give an alarm when 
an intruder steps on the ground above the 
fiber (Wolfenbarger, 1994). To ensure that 
an intruder steps above the fiber, it is 
usually woven into a grid and buried just 
beneath the surface. A typical installation 
of fiber-optic mesh on the ground is 
shown in Figure 6.2. 

Since fiber-optic cable senses vibra- 
tions, nuisance alarm sources can be 
similar to those of seismic sensors. By 
decreasing the seismic coupling to the 
soil, for example installing the sensor in 
gravel, seismic events can be minimized 
so the nuisance alarm rate will be 
much lower. 

Fence-Associated Sensors 

There are three types of intrusion sensors 
that either mount on or attach to a fence 
or form a fence using the transducer 




Figure 6.2 Installation of Fiber-Optic 
Mesh as a Ground Sensor. Once installed 
the mesh is covered with gravel or dirt. 
Stepping on the ground above the mesh 
causes the fiber to bend and changes the 
received signal. This change in signal 
causes an alarm 
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material: fence-disturbance sensors, sensor 
fences, and electric field or capacitance 
sensors. 

Fence-Disturbance Sensors 

Fence-disturbance sensors are passive, 
visible, terrain-following sensors that are 
designed to be installed on a security 
fence, typically constructed with chain- 
link mesh. These sensors are considered 
terrain-following because the chain-link 
mesh is supported every three yards with 
a galvanized steel post, and thus the fence 
itself is terrain-following. 

Fence-disturbance sensors can detect 
motion or shock. Thus they are intended 
to detect primarily an intruder who 
climbs on or cuts through the fence fabric. 
Several kinds of transducers are used to 
detect the movement or vibration of the 
fence. These include switches, electro- 
mechanical transducers, strain sensitive 
cables, piezoelectric crystals, geophones, 
fiber-optic cables, or electric cable. 

Fence-disturbance sensors respond to 
all mechanical disturbances of the fence, 
not just intruders. Common noise sources 
include wind and debris blown by wind, 
rain driven by wind, hail, and seismic 
activity from nearby traffic and machinery 
coupled to the fence through the ground. 
Good fence construction is important to 
minimize nuisance alarms, so rigid fence 
posts and tight fence fabric are required. 
Fence posts should not move more than 
0.5 inches for a 50-pound pull applied 5 
feet above the ground. Fence fabric should 
deflect no more than 2.5 inches for a 30- 
pound pull centered between fence posts. 
To eliminate nuisance alarms caused by 
rattles, do not place signs, loose ties, or 
other items on the fence. In addition, 
installing fence sensors on the inner fence 
of a two-fence system can reduce the 
NAR. This precaution will allow the outer 
fence to block blowing trash or other 
debris, and keep small animals away from 
the inner sensored fence. 

Digging under the fence or bridging 
over the fence without touching the fence 



itself can defeat fence-disturbance sen- 
sors. Digging can be deterred by putting 
concrete under the fence. The bottom 
edge of the fabric can also be placed in the 
concrete. The P D of fence-disturbance 
sensors is affected by the fabric tension, 
the fence processor settings, the rigidity of 
the fence, any noise coupled to the fence, 
and the aids used by the adversary to 
defeat the fence. For example, if the 
adversary defeats the fence by the use of 
a ladder and never touches the fence, the 
P D will be very low or zero. 

Sensor Fences 

Sensor fences are passive, visible, terrain- 
following sensors that make use of the 
transducer elements to form a fence itself. 
These sensor fences are designed primar- 
ily to detect climbing or cutting on the 
fence. There are several common fence 
configurations. 

Taut-wire sensor fences consist of 
many parallel, horizontal wires with high 
tensile strength that are connected under 
tension to transducers near the midpoint 
of the wire span. These transducers detect 
deflection of the wires caused by an 
intruder cutting the wires, climbing on 
the wires to get over the fence, or sepa- 
rating the wires to climb through the 
fence. The wire is typically barbed 
wire, and the transducers are mechanical 
switches, strain gauges, or piezoelectric 
elements. Taut-wire sensor fences can 
either be mounted on an existing set of 
fence posts or installed on an indepen- 
dent row of posts. 

Sensor fences tend to be much less 
susceptible to nuisance alarms than 
fence-disturbance sensors because the 
transducers are not sensitive to vibrations 
and require a force of approximately 25 
pounds on the wire to cause an alarm. 
However, because sensor fences also have 
a well-defined plane of detection, they are 
vulnerable to the same defeat methods 
as fence-disturbance sensors. Taut-wire 
fences attribute most nuisance alarms to 
large animals walking into the fence, 
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improper installation or maintenance, 
and ice storms. 

The P D of taut wire fences is affected by 
the tension of the wires, wire friction, and 
wire spacing. If the spacing between two 
wires is large enough to allow a person to 
pass through undetected, the P D will be 
much lower than if spacing is kept to 4 
inches or less (Greer, 1990). 

Electric Field or Capacitance 

Electric field or capacitance sensors are 
active, visible, terrain-following sensors 
that are designed to detect a change in 
capacitive coupling among a set of wires 
attached to, but electrically isolated from, 
a fence. 

The sensitivity of electric field sensors 
can be adjusted to extend up to 1 meter 
beyond the wire or plane of wires. A high 
sensitivity typically has a trade-off of 
more nuisance alarms. Electric field and 
capacitance sensors are susceptible to 
lightning, rain, fence motion, and small 
animals. Ice storms may cause substantial 
breakage and damage to the wires and 
the standoff insulators. Good electrical 
grounding of electric field sensors is 
important to reduce nuisance alarms. 
Other metal objects (such as the chain- 
link fence) in the sensor field must also 
be well grounded; poor or intermittent 
grounds will cause nuisance alarms. 
Because the detection volume extends 
beyond the fence plane, electric field 
sensors are more difficult than other 
fence-associated sensors to defeat by 
digging under or bridging over the fence 
(Follis, 1990). 

The electric field or capacitance sensors 
can be mounted on their own set of posts 
instead of being associated with a security 
fence. The main differences in perfor- 
mance are due to the absence of the 
parallel grounded chain-link mesh. This 
results in two areas of improved perfor- 
mance: a wider detection volume for the 
sensitive electric field sensor, and a lower 
nuisance alarm rate due to the elimination 
of noise from the motion of the chain-link 



fence. For the freestanding version of elec- 
tric field sensors, some electronic signal- 
processing techniques employ additional 
wires in the horizontal plane to reduce the 
effects of distant lightning and alarms due 
to small animals. 



Freestanding Sensors 

The primary types of freestanding sen- 
sors currently used for exterior intrusion 
detection are infrared, microwave, and 
video motion detection sensors. 

Active Infrared 

The infrared (IR) sensors used for exterior 
intrusion detection are active, visible, 
line-of-sight, and freestanding sensors. An 
IR beam is transmitted from an IR light- 
emitting diode through a collimating lens. 
Collimating lenses are used in active 
infrared sensors to convert the divergent 
beams of IR light into parallel beams, 
resulting in an efficient collection of the 
signal at the receiver. Without this lens, 
the light would disperse and provide a 
weaker signal at the receiver. The beam is 
received at the other end of the detection 
zone by a collecting lens that focuses the 
energy onto a photodiode. The IR sensor 
detects the loss of the received infrared 
energy when an opaque object blocks the 
beam. These sensors operate at a wave- 
length of about 0.9 microns, which is not 
visible to the human eye. One type of 
active infrared exterior sensor is shown in 
Figure 6.3. 

Although single-beam IR sensors are 
available, multiple-beam sensors are nor- 
mally used for high-level security appli- 
cations because a single IR beam is too 
easy to defeat or bypass. A multiple-beam 
IR sensor system typically consists of 
two vertical arrays of IR transmitter and 
receiver modules (the specific number 
and configuration of modules depends on 
the manufacturer). Thus the IR sensor 
creates an IR fence of multiple beams but 
detects a single beam break. Multiple- 
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Figure 6.3 Freestanding Active Infrared 
Sensor. This picture shows one of the two 
units in the transmitter/receiver pair. 
Intrusions are detected when the IR beam 
is broken 



beam infrared sensors usually incorporate 
some electronics to detect attempts at 
spoofing the beams with an alternative IR 
source. 

Conditions that reduce atmospheric vis- 
ibility have the potential to block the IR 
beams and cause nuisance alarms. If the 
visibility between the two arrays is less 
than the distance between the two arrays, 
the system will probably produce a nui- 
sance alarm. These conditions sometimes 
exist in fog, snow, and dust storms. In 
addition, grass, vegetation, and animals 
also add to nuisance alarms. The area 
between the IR posts should be kept clear 
of grass or other vegetation since even 
grass that is trimmed will move in the 
wind and can cause an alarm. Other 
sources of nuisance alarms include 
ground heave, optical alignment prob- 
lems, and deep snow accumulations. 

The detection volume cross-section of a 
multiple-beam IR sensor is typically 2 



inches wide and 6 feet high. Thus IR 
sensors have a narrow plane of detection 
similar in dimensions to fence sensors. 
IR sensors are considered line-of-sight 
sensors and require a flat ground surface 
because the IR beam travels in a straight 
line. A convex ground surface will block 
the beam, and a concave surface will 
permit passing under the beam without 
detection. Digging under the bottom beam 
is possible unless a concrete sill or paved 
surface has been installed. The P D is very 
high for a multiple beam sensor. Other 
methods of defeat include bridging, pole 
vaulting, stepping, or sliding through 
beams, or using sunshades on posts as a 
ladder. 

Passive Infrared 

Humans emit thermal energy due to the 
warmth of their body. On the average, 
each active human emits the equivalent 
energy of a 50-watt light bulb, and passive 
infrared (PIR) detectors sense the pres- 
ence of this energy and cause an alarm to 
be generated. For years this technology 
was only usable in an interior application 
because the changes in heat, emitted by 
the ground as clouds passed overhead, 
caused too many false alarms. Current 
models, however, compare the received 
thermal energy from two curtain-shaped 
sensing patterns. A human moving into 
one area and then the other would cause 
an imbalance. Weather-related tempera- 
ture changes such as the increases in 
temperature during a summer day would 
affect both areas equally and would not 
cause an alarm. 

The PIR sensors should be mounted 
such that the motion of the intruder will 
most likely be across the line of sight 
since that is the most sensitive direction. 
Blowing debris, animals, birds, vegeta- 
tion, standing water movement, and very 
heavy rain or snowfall could cause nui- 
sance alarms. The passive infrared detec- 
tor is most sensitive when the background 
is at a much different temperature than an 
intruder. Methods of defeat include bridg- 
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ing, tunneling, pole-vaulting, shielding 
the intruder to minimize the difference 
between his or her temperature and 
the background, or causing an identical 
change to both sensing patterns, such as 
blocking the field of view. Detection 
ranges can exceed 100 yards on cold days 
and can vary depending upon the back- 
ground temperature. Large hot objects, 
such as vehicles, may be detected well 
beyond the desired detection zone. 

Bistatic Microwave 

Bistatic microwave sensors are active, 
visible, line-of-sight, freestanding sensors. 
Typically, two identical microwave anten- 
nas are installed at opposite ends of the 
detection zone. One is connected to a 
microwave transmitter that operates near 
10 Gigahertz (GHz) or 24 GHz. The other 
is connected to a microwave receiver that 
detects the received microwave energy. 
This energy is the vector sum of the direct 
beam between the antennas and the 
microwave signals reflected from the 
ground surface and other objects in 
the transmitted beam. Microwave sensors 
respond to changes in the vector sum 
caused by objects moving in that portion 
of the transmitted beam that is within the 
viewing field of the receiver. This vector 
sum may actually increase or decrease, as 
the reflected signal may add in-phase or 
out-of-phase. One bistatic microwave 
antenna is shown in Figure 6.4. 

Bistatic microwave sensors are often 
installed to detect a human crawling or 
rolling on the ground across the 
microwave beam, keeping the body paral- 
lel to the beam. From this aspect the 
human body presents the smallest effec- 
tive target to the bistatic microwave 
sensor. This has two important conse- 
quences for the installation of microwave 
sensors. First, the ground surface between 
the transmitter and receiver must be flat 
so that the object is not shadowed from 
the microwave beam, precluding detec- 
tion. The surface flatness specification for 
this case is +0, -6 inches. Even with this 
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Figure 6.4 Bistatic Microwave Antenna. 
This sensor will detect humans crawling 
or rolling through the microwave beam. 
The other unit of the microwave pair is 
placed at the opposite end of the detection 
zone to establish the detection volume 



flatness, crawlers may not be detected if 
the distance between antennas is much 
greater than 120 yards. Second, a zone of 
no detection exists in the first few meters 
in front of the antennas. This distance 
from the antennas to the point of first 
crawler detection is called the offset dis- 
tance. Because of this offset distance, long 
perimeters where microwave sensors are 
configured to achieve a continuous line 
of detection require that the antennas 
overlap one another, rather than being 
adjacent to each other. An offset of 10 
yards is typically assumed for design pur- 
poses, thus adjacent sectors must overlap 
twice the offset distance, for a total of 20 
yards. Other site requirements are that the 
antenna height is 18 to 24 inches above 
the sensor bed surface, and the slope of 
the plane of operation cannot allow more 
than a 1-inch elevation change in 10 feet 
from any point on the surface of the plane. 
Since the primary cause of nuisance 
alarms for a bistatic microwave is stand- 
ing water, the sensor performs best when 
the sensor bed surface is made of 4 inches 
of riverbed gravel, no larger than 1.5 
inches in diameter, with a neutral color 
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preferred for assessment purposes. If the 
size of the gravel is greater than 1.5 inches 
in diameter, rain will still cause nuisance 
alarms. Crushed rock that will pass 
through a 1-inch screen may be used. 
Smaller stones quickly fill up with soil 
and do not drain properly. 

The detection volume for bistatic 
microwave sensors varies with the manu- 
facturer's antenna design but is large com- 
pared to most other intrusion sensors. 
The largest detection cross-section is at 
midrange between the two antennas 
and is approximately 4 yards wide and 
3 yards high. 

Microwave sensors tolerate a wide 
range of environmental conditions with- 
out producing nuisance alarms. However, 
nuisance alarms can be produced by a 
number of environmental conditions. Veg- 
etation should be no higher than 1 to 2 
inches tall in the area, and no vegetation 
at all is preferable. A nearby parallel 
chain-link fence with loose mesh that 
flexes in the wind will appear to the 
sensor as a large moving target and may 
cause nuisance alarms. Surface water 
from rain or melting snow appears to the 
microwave sensor as a moving reflector, 
therefore the flat plane required for 
crawler detection should have a cross 
slope for water drainage and gravel 
should be used to prevent standing water 
on the surface of the zone. Heavy blowing 
snow may produce nuisance alarms; snow 
accumulation will reduce the P D , espe- 
cially for the crawler; and complete burial 
of the antenna in snow will produce a 
constant alarm. Defeats by bridging or 
digging under are not simple due to the 
extent of the detection volume. More 
sophisticated defeat methods involve the 
use of secondary transmitters. 

It is recommended that some form of 
fencing be incorporated in applications 
using exterior bistatic microwave sensors, 
to reduce the potential for nuisance 
alarms and to help maintain the carefully 
prepared area. These sensors are difficult 
or impossible to use in areas where hills, 



trees, or other natural features obstruct 
the beam. 

Monostotic Microwave 

Microwave detectors are also available in 
monostatic versions. In this configuration, 
the transmitter and receiver are in the 
same unit. Radio-frequency energy is 
pulsed from the transmitter, and the 
receiver looks for a change in the reflected 
energy. Motion by an intruder causes the 
reflected energy to change and thus causes 
an alarm. These sensors are range-gated, 
meaning that the site can set the range 
beyond which motion can occur without 
an alarm. A monostatic microwave sensor 
is pictured in Figure 6.5. 

Dual-Technology Sensors 

In an effort to reduce nuisance alarms, 
dual-technology sensors are becoming 
more popular for security use. An 
example of dual technology would be to 
place both a passive infrared and a mono- 
static microwave in the same housing. 
The theory behind these devices is that 
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Figure 6.5 Monostatic Microwave Sen- 
sor. The receiver and transmitter are in the 
same unit 
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the sensor will not give an alarm until 
both sensors have detected, thus avoiding 
common nuisance alarms from each of the 
technologies and only initiating an alarm 
for an actual intruder. In this mode the 
sensitivity of each sensor could be set 
very high without the associated nuisance 
alarms. The reduction in nuisance alarms, 
however, is accompanied by a decreased 
P D since an intruder must only defeat one 
sensor to bypass the detector. 



Video Motion Detection 

Video motion detectors (VMDs) are pas- 
sive, covert, line-of-sight sensors that pro- 
cess the video signal from closed-circuit 
television (CCTV) cameras. These cam- 
eras are generally installed on towers to 
view the scene of interest and may be 
jointly used for detection, surveil-lance, 
and alarm assessment. Lighting is required 
for continuous 24-hour operation. 

VMDs sense a change in the video 
signal level for some defined portion of 
the viewed scene. Depending on the 
application, this portion may be a large 
rectangle, a set of discrete points, or a rec- 
tangular grid. Detection of human body 
movement is reliable except during con- 
ditions of reduced visibility, such as fog, 
snow, heavy rain, or loss of lighting 
at night. 

There are many potential sources of 
nuisance alarms for VMDs used outdoors. 
Application to exterior intrusion detec- 
tion has been limited pending the de- 
velopment of new VMDs with signal 
processing to reduce nuisance alarms 
without compromising detection signifi- 
cantly. Nuisance alarms may be created by 
apparent scene motion due to unstable 
camera mounts; changes in scene illumi- 
nation caused by such things as cloud 
shadows, shiny reflectors, and vehicle 
headlights; and moving objects in the 
scene such as birds, animals, blowing 
debris, and precipitation on or near the 
camera. Defeat tactics include taking 
advantage of poor visibility conditions, 



camouflaging the target into the back- 
ground, and attack during times of 
reduced visibility (Ringler and Hoover, 
1994; Matter, 1990). 

Emerging Technology 

There are a variety of exterior intrusion 
sensors and sensor combinations under 
development at this time. Many of these 
new technologies represent incorporation 
of faster processors to allow for speedier 
detection, more filtering, or wider detec- 
tion volumes. Components such as 3-D 
VMDs and new dual-technology devices 
fit into this category. There are some 
sensor systems under development that 
incorporate thermal-imagers and video in 
an attempt to monitor very wide areas. In 
addition, the development of portable 
sensors is in progress, using microwave, 
infrared, and fence technologies. 

Development of airborne intrusion de- 
tection is another emerging area. These 
systems use existing radar, vibration, 
imaging, and other technologies for appli- 
cation in the detection of an adversary 
attack through the air. 

These emerging technologies show 
some promise but are not as well charac- 
terized as the other types of sensors dis- 
cussed in this chapter. Once these sensors 
or systems have been evaluated and 
assigned performance measures for P D , 
NAR, and vulnerability, they can be inte- 
grated into existing systems as possible 
upgrades or used in new designs. 

Perimeter Sensor Systems — Design 
Concepts and Goals 

The material discussed thus far in this 
chapter summarizes a variety of exterior 
intrusion sensor technologies. This sec- 
tion discusses the integration of indi- 
vidual sensors into a perimeter sensor 
system and considers the interaction of 
the perimeter system or subsystem with a 
balanced and integrated PPS. Before the 
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detailed design and implementation of a 
perimeter sensor system are considered, 
some basic design principles and con- 
cepts for perimeter sensor systems should 
be understood. 

Continuous Line of Detection 

By definition, a perimeter is a closed line 
around some area that needs protection. A 
design goal is to have uniform detection 
around the entire length of the perimeter. 
The perimeter is divided into sectors to 
aid in assessment and response. This 
requires that sensors form a continuous 
line of detection around the perimeter. In 
practice this means configuring the sensor 
hardware so that the detection zone from 
one perimeter sector overlaps with the 
detection zones for the two adjacent 
sectors. Also, in areas where the primary 
sensor cannot be deployed properly, such 
as a gate, an alternate sensor is used to 
cover that gap. 

Protection-in-Depth 

As applied to perimeter sensor systems, 
the concept of protection-in-depth means 
the use of multiple lines of detection. 
Thus a minimum of two continuous 
lines of detection is used in high-security 
systems. Many perimeter sensor systems 
have been installed with three sensor 
lines, and a few have four. For example, 
a perimeter sensor system might include 
a buried-line sensor, a fence-associated 
sensor, and a freestanding sensor. Multi- 
ple sensor lines provide additional detec- 
tion, increased reliability, and in case of 
hardware failure, will fail-secure (i.e., still 
provide protection, although to a lesser 
degree). In this scheme, any single sensor 
can fail without jeopardizing the overall 
security of the facility being protected. 
Elimination of single-point or component 
failures is a major advantage in any secu- 
rity system, as this will assure balanced 
protection even in adverse conditions and 



will prevent the introduction of vulner- 
ability based on the failure or defeat of 
only one component by the adversary. 



Complementary Sensors 

Significantly better performance by the 
perimeter sensor system can be achieved 
by selecting different and complementary 
types of sensors for the multiple lines 
of detection, for example microwave 
and active infrared. In this way, different 
sensor technologies, with different P D , 
NAR, and vulnerabilities are combined to 
increase the effectiveness of the exterior 
perimeter intrusion detection system. 
Complementary sensors enhance the 
overall system performance because they 
use the best features of a particular tech- 
nology, while at the same time providing 
effective backup in case of environmental 
change, component failure, or successful 
attack by the adversary. This design phi- 
losophy results in detection of a wider 
spectrum of intruders, allows operation of 
at least one sensor line during any con- 
ceivable environmental disturbance, and 
increases the difficulty of the task for the 
covert intruder attempting to defeat the 
system. 

Use of complementary sensors can be 
an effective alternative to the use of dual- 
technology sensors since the individual 
sensors will perform at their maximum 
levels and not be compromised by co- 
location and filtering. While implementa- 
tion of complementary sensors may be 
more expensive, they will also afford a 
higher protection level. Due to the higher 
protection provided by complementary 
sensors, they are the preferred method in 
high-security applications. 

Examples of exterior complementary 
sensors include microwave/infrared, 
microwave/ported coaxial cable, and 
ported coaxial cable/infrared combina- 
tions. The important point is that the 
detection patterns must overlap for the 
sensors to be complementary. For example, 
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a microwave/fence sensor combination is 
not complementary because the detection 
patterns can't overlap without serious nui- 
sance alarm problems. In addition, bista- 
tic/monostatic microwave combinations 
are not complementary since both are sus- 
ceptible to the same defeat methods and 
nuisance alarm sources. 

Priority Schemes 

One disadvantage of multiple sensor lines 
is that more nuisance alarms will have to 
be processed. System effectiveness has 
not been increased if the system operator 
is overwhelmed with nuisance alarms. As 
discussed in Chapter 5 "Physical Protec- 
tion System Design," the probability of 
detection decreases as the time to assess 
alarms increases. The assessment subsys- 
tem should aid the operator in evalu- 
ating alarm information. Many different 
methods have been used to deal with the 
alarm data from a combination of sensors. 
A recommended method currently in use 
requires the system operator to assess all 
alarms with the aid of a computer that 
establishes the time order of assessment 
for multiple simultaneous alarms. The 
computer sets a priority for each alarm 
based on the probability that an alarm 
event corresponds to a real intrusion. The 
alarms are displayed to the operator in 
order of decreasing priority; all alarms are 
eventually assessed. The alarm priority 
is typically established by taking into 
account the number of sensors in alarm in 
a given sector, the time between alarms in 
the sector, the order in which the alarms 
occur in relation to the physical configu- 
ration of the sensors, and alarms in the 
two adjacent sectors. This point will be 
discussed in more detail in Chapter 9, 
"Alarm Communication and Display." 

Combination of Sensors 

It is desirable that a sensor or sensor 
system have a high probability of detec- 



tion (P D ) for all expected types of intru- 
sion and a low nuisance alarm rate (NAR) 
for all expected environmental condi- 
tions. No single exterior sensor presently 
available meets both of these criteria; all 
are limited in their detection capability 
and all have high NARs under certain 
environmental conditions. The two basic 
techniques for combining sensors are OR 
combinations and AND combinations. 

A system can consist of two or more 
sensors with their outputs combined by 
an OR gate so that an alarm would be gen- 
erated when any sensor is activated. This 
combination is useful for sensors that 
make up for the deficiencies of each other; 
each sensor is intended to detect particu- 
lar types of intrusions. Thus, sensors that 
detect above ground, overhead, and tun- 
neling intrusions should be combined by 
an OR gate. 

The nuisance alarm rate of the OR com- 
bination, or NAR (OR), will be the sum of 
the NAR of each sensor. Neglecting the 
possibility of simultaneous activation, 
the NAR of the combination will equal 
the sum of individual NARs: 

NAR(OR) = XNARi 

where NARi is the nuisance alarm rate of 
the ith sensor in a system of n sensors. 
Because this combination results in an 
increased NAR, it is most useful for 
sensors that individually have low NARs. 
The nuisance alarm rate can be signifi- 
cantly reduced by combining sensors with 
an AND gate if the nuisance alarms of 
the sensors are not correlated. A seismic 
sensor and an electric field sensor do 
not give correlated alarms, for example, 
because they respond to different things. 
If both are activated at about the same 
time, it is probable that they have detected 
an intrusion. Since a single intrusion 
attempt will not activate two or more 
sensors simultaneously, a system can be 
designed to generate an alarm if two or 
more sensors are activated within a pre- 
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selected time interval. A long time inter- 
val is desirable to assure detection of in- 
truders moving slowly, but if the interval 
is too long, the NAR may not be reduced 
enough. By installing sensors so they 
cover the same general area, thereby pro- 
viding redundant coverage, the time inter- 
val can be kept small. 

Detection probability of the AND com- 
bination, or P D (AND), will be lower than 
the detection probability of each sensor. 
If detection performance is independent 
and coverage by sensors is redundant, the 
P D of the combination will equal the 
product of the individual P D s. To assure a 
reasonable detection probability for the 
system, the detection probability of the 
individual sensors must be high. 

The nuisance alarm rate of the AND 
combination, NAR (AND), will be less 
than the nuisance alarm rate of each 
sensor. If the sensor outputs are not cor- 
related and occur at a random rate that is 
much less than one output per selected 
time interval, T, then for two sensors, 

NAR(AND) = — (NAR1XNAR2) 
60 

where T is in minutes and NARl and 
NAR2 are in alarms per hour. The AND 
combination is desirable since nuisance 
alarms can be reduced by several orders 
of magnitude over the individual sensor's 
own NAR. The time interval T may be 
site-specific, depending on the installa- 
tion geometry and sensor characteristics; 
however, it will probably be within the 
range of 15 and 120 seconds. The disad- 
vantage of the AND scheme is that there 
is still the problem of reduced P D because 
the intruder must only defeat one sensor. 

Clear Zone 

A perimeter intrusion detection system 
performs better when it is located in an 
isolated clear zone (or isolation zone). The 
purpose of the clear zone is to improve 
performance of the perimeter sensor 



system by increasing detection probabil- 
ity, reducing nuisance alarms, and pre- 
venting defeat. The clear zone also 
promotes good visual assessment of the 
causes of sensor alarms. Two parallel 
fences extending the entire length of the 
perimeter usually define the width of the 
clear zone. The fences are intended to 
keep people, animals, and vehicles out of 
the detection zone. The area between the 
fences is usually cleared of all above- 
ground structures, including overhead 
utility lines; vegetation in this area is also 
removed. After the zone between the 
fences is cleared, only the detection 
and assessment hardware and associated 
power and data lines are installed in the 
area. When clear zones bounded by two 
parallel fences are used, no sensors 
should be placed on the outer fence. This 
will reduce nuisance alarms from blowing 
debris and small animals and will elimi- 
nate the possibility of an adversary defeat- 
ing the fence sensor without being seen 
by the video assessment system. Video 
assessment of anything outside the fence 
will be difficult due to the inability of the 
camera to see through the fence fabric. 
Clear zones, and the associated use of 
multiple complementary sensors, is gen- 
erally reserved for use at high-security 
facilities, such as nuclear plants, prisons, 
military bases, or other government 
installations. 



Sensor Configuration 

The configuration of the multiple sensors 
within the clear zone also affects system 
performance. Overlapping the detection 
volumes of two different sensors within 
each sector enhances performance by cre- 
ating a larger overall detection volume. 
Thus, defeat of the sensor pair is less 
probable because a larger volume must be 
bypassed or two different technologies 
must be defeated simultaneously. A third 
sensor can even further enhance perfor- 
mance, not by overlapping with the first 
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two, but by forming a separate line of 
detection. Physically separate lines of 
detection can reveal information useful 
for determining alarm priority during 
multiple simultaneous alarms. In particu- 
lar, the order of alarms in a sector (or 
adjacent sectors) may correspond to the 
logical sequence for an intrusion. 

Site-Specific System 

Each site requiring physical protection 
has a unique combination of configuration 
and physical environment. Thus, a PPS 
designed for one site cannot be transferred 
to another. The physical environment will 
influence the selection of types of sensors 
for perimeter sensor systems. The natural 
and industrial environments provide the 
nuisance alarm sources for the specific 
site. The topography of the perimeter 
determines the shapes and sizes of the 
space available for detection, specifically 
the clear zone width and the existence of 
flat or irregular terrain. These factors gen- 
erally help determine a preferred set of 
sensors. Although the understanding of 
the interaction between intrusion sensors 
and the environment has increased sig- 
nificantly in recent years, it is still advis- 
able to set up a demonstration sector 
on site using the possible sensors before 
making a commitment to a complete 
system. This test sector located on site is 
intended to confirm sensor selection and 
to help refine the final system design. 

Tamper Protection 

The hardware and system design should 
incorporate features that prevent defeat 
by tampering. This means the system 
should be tamper-resistant and tamper- 
indicating. Sensor electronics and junc- 
tion box enclosures should have tamper 
switches. Above-ground power and signal 
cables should be installed inside metal 
conduit. Alarm communication lines 
should use some type of line supervision, 



which detects lines that have been 
cut, disconnected, short-circuited, or by- 
passed. The receiver electronics of bista- 
tic sensors are generally more vulnerable 
to defeat than the transmitter electronics. 
In this case the sensors can often be 
placed so that an intruder must be in or 
pass through the detection volume to 
approach the receiver. 

Self-Test 

To verify normal operation of a perimeter 
sensor system, its ability to detect must 
be tested regularly. Although manual test- 
ing is recommended, manpower require- 
ments are usually restrictive. A capability 
for remote testing of trigger signals can be 
provided and initiated by the alarm com- 
munication and control system. Typically 
this is just a switch closure or opening. In 
an automatic remote test procedure, the 
central computer control system generates 
at a random time a test trigger to a given 
sensor. The sensor must then respond 
with an alarm. The control system checks 
that an alarm occurred within a specified 
time and cleared within another specified 
time. Failure to pass the test indicates a 
hardware failure or tampering and pro- 
duces an alarm message. 

Pattern Recognition 

The field of sensor technology is in a 
period of major change, caused by the 
development of inexpensive, powerful 
computers. These computers can now 
receive signals from sensors and analyze 
the signal pattern, looking for patterns 
that are particularly characteristic of an 
intruder. Using neural network or artifi- 
cial intelligence software, the computers 
can actually learn these intruder signal 
patterns and then avoid nuisance alarms. 
Any sensor or combination of sensors that 
returns a signal other than just off-on can 
have their signals analyzed by a small 
computer and can in some cases sense 
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whether or not an intruder is present. 
Examples include intelligent infrared and 
fence sensors. 



Effects of Physical and 
Environmental Conditions 



The physical and environmental condi- 
tions that can affect exterior detection 
systems include: 

• topography 

• vegetation 

• wildlife 

• background noise 

• climate and weather 

• soil and pavement 

These conditions are different at every 
site. 

Topographic features such as gullies, 
slopes, lakes, rivers, and swamps must 
be considered when designing an ex- 
terior detection system. Grading may be 
required to reduce hills and slopes. 
Draining may also be required to reduce 
water flow through gullies and ditches to 
prevent seismic disturbances caused by 
running water. The perimeter system 
should avoid lakes, rivers, and swamps, 
since there are few commercial sensors 
suitable for use in water. 

Sensor performance can be affected by 
vegetation in two ways: underground and 
above ground. Motion of trees or plants 
caused by wind may be transmitted to 
their root systems and cause a seismic 
sensor to generate a nuisance alarm. 
Above ground, large plants and trees can 
be used as cover by an intruder and also 
generate nuisance alarms. Additionally, 
vegetation tends to attract small animals, 
creating more nuisance alarms. If vegeta- 
tion is a problem, it must be controlled 
by mowing, removal, soil-sterilization, or 
surfacing. 

In some locations, wildlife may cause 
some problems. Large animals may dam- 



age equipment by collision, and burrow- 
ing animals may eat through cable insula- 
tion material. Small animals, burrowing 
animals, birds, and insects also cause nui- 
sance alarms that may be difficult to 
assess. Dual chain-link fences and chem- 
ical controls may be used to con- 
trol wildlife; however, local regulations 
should be observed with regard to poisons 
and repellents. Removing vegetation from 
fence lines has been found to discourage 
some smaller animals. 

A site survey along with information 
obtained from utility companies and 
plant-engineering organizations on-site 
may reveal many sources of background 
noise. These sources may include wind, 
traffic, electromagnetic interference, and 
seismic sources. 

Disturbances related to wind are caused 
by the transfer of energy to the ground by 
trees, power and light poles, fences, and 
other items. High winds and wind-blown 
debris can also cause nuisance alarms 
from sensors mounted on fences by dis- 
turbing the fence. 

Traffic from nearby roadways, railways, 
and airports creates nuisance alarms for 
seismic sensors. Roads should be kept 
smooth and the speed limit at a minimum 
to reduce the nuisance alarm rate. Seismic 
sensors are not practical near heavy air or 
railway traffic, because this type of traffic 
causes seismic disturbances even at long 
distances. 

Examples of sources of electromag- 
netic interference include lightning, radio 
transmitters, welding, and electrical tran- 
sients. Shielding of the sources or the 
sensors can reduce nuisance alarms. 

Specific data about the climate and the 
weather conditions should be obtained for 
the site. Information such as frequency, 
velocity, accumulation, and duration 
should be obtained about hail, electrical 
storms, rainfall, and wind. Mean min- 
imum and maximum temperatures should 
also be noted as well as other weather and 
environmental conditions. 
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Soil and pavement conditions can affect 
the operation of buried seismic sensors. 
The seismic conductivity of the medium 
is the determining factor. It should be high 
enough to make seismic sensors effective, 
but not so high that it causes nuisance 
alarms. Wet soil tends to have exception- 
ally good seismic conduction. However, 
wet soil tends to respond strongly to 
distant sources of seismic activity and 
thus cause excessive nuisance alarms. 
Buried systems of seismic magnetic 
sensors and seismic sensors may have to 
be embedded in or installed under areas 
paved with concrete or asphalt. The 
sensitivity of a sensor embedded in the 
pavement is increased if the sensor is ade- 
quately coupled to the medium. If the 
sensor is not adequately coupled to the 
medium, its sensitivity may be much 
lower than when it is installed in soil or 
buried under the pavement. Soil conduc- 
tivity can also affect the sensitivity of 
ported coaxial cable. Highly conductive 
soils greatly reduce the detection volume 
of the sensor. 



Lightning Protection 

Because exterior sensors are installed 
outdoors, they are exposed to electrical 
storms at most sites. Lightning can easily 
disable, damage, or destroy the sensitive 
electronics used in sensor equipment. 
There are three primary precautions for 
reducing lightning damage. First, all 
signal cables should be shielded, either by 
the internal cable construction or by using 
metal conduit. Second, a good ground 
system is required. This means eliminat- 
ing ground loops and using grounds at a 
single point. Third, passive transient sup- 
pression devices can be installed at the 
ends of the cables. Fiber-optic transmis- 
sion cables are not affected by lightning 
and have thus become very popular for 
transmitting signals for long distances 
outside a building. 



Integration with Video 
Assessment System 



Many perimeter security systems use a 
CCTV system to perform alarm assess- 
ment. For both the sensor and video 
systems to perform well, care must be 
taken to ensure that the designs of the 
two systems or subsystems are compati- 
ble. Assessment may take place via the 
use of CCTV systems or manually by 
people. Video assessment automatically 
tied to sensor activation greatly reduces 
the amount of time required to determine 
the alarm source, thereby maximizing 
the use of any remaining delay and 
increasing the chance of successful inter- 
ruption of the adversary. Video assess- 
ment also allows remote evaluation of the 
alarm condition, which eliminates the 
need to constantly dispatch guards to 
determine the cause of the alarm — 
perhaps too late to make an accurate 
assessment. For maximum effectiveness, 
the sensors must be placed so that when 
an alarm occurs, the camera viewing the 
zone will have an unobstructed view of 
the entire zone. 

One trade-off to be considered is the 
width of the clear zone. Sensor engineers 
desire a wide area for installing their 
sensors to reduce nuisance alarms. Video 
engineers desire a narrow area to assess so 
that they can achieve better resolution 
from the cameras. A compromise clear 
zone width is in the range of 10 to 15 
yards. 

Another trade-off is the location of the 
camera tower within the clear zone. 
The camera must be positioned to view 
the entire area being assessed. The sensors 
must be placed far enough away from the 
camera towers to prevent distortion of the 
detection volume and nuisance alarms. 
Frequently the camera towers are located 
1 to 2 yards inside the outer fence of the 
clear zone to prevent their use in bridging 
attacks by an adversary. 
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Integration with Barrier 
Delay System 



Balanced integrated PPSs usually incor- 
porate some type of barrier or access 
denial systems to provide delay time for 
video assessment of the alarm source and 
for the response force to respond to an 
intrusion. In many cases this includes 
some type of barrier installed at the 
perimeter; however, the barrier should not 
degrade the performance of the sensors. 
Perimeter barriers are usually installed on 
or near the inner clear zone fence so that 
an intruder cannot tamper with or defeat 
the barrier without first passing through 
the detection zone. This placement is 
important to ensure that the response 
action is initiated before the delay occurs. 
Barriers should not distort the sensors' 
detection volume, cause nuisance alarms, 
or obscure part of the camera's view. 



Exterior Sensor Subsystem 
Characteristics 



The finished exterior intrusion detection 
subsystem should incorporate many of 



the security principles and features 
described thus far. A schematic diagram 
of a typical exterior system is shown in 
Figure 6.6. 

This subsystem uses a continuous line 
of detection, protection-in-depth, comple- 
mentary sensors, and a clear zone in the 
design. Not readily apparent but also 
included is the use of alarm combination 
and priority schemes in alarm monitoring. 
The system shown uses CCTV to accom- 
plish the assessment function. A look at 
how this sector might appear in actual use 
is shown in Figure 6.7. Notice the well- 
maintained clear zone, the consistency in 
width between fences, the placement of 
the sensors, lighting, and camera towers, 
and the overlap of sensors from one zone 
to the next. This is an excellent example 
of a well-designed exterior sensor subsys- 
tem on a high-security site perimeter. 



Procedures 

As this text stresses repeatedly, an effec- 
tive security system represents the suc- 
cessful integration of people, procedures, 
and equipment. For exterior intrusion 
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Figure 6.6 Schematic View of Exterior Sensor System Layout. The complementary IR 
and microwave sensors overlap to prevent defeat by crawlers or jumpers, the taut-wire 
sensor is located close to the inner fence to reduce the NAR, and junction boxes are placed 
inside the detection volume 
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Figure 6.7 Typical Perimeter Using Exte- 
rior Intrusion Sensors. The isolation zone 
is clear of debris or vegetation, the fences 
are consistently spaced, and sensor detec- 
tion zones overlap 



detection systems, the procedures related 
to installation, maintenance test, and 
operation should be established. Training 
in all of these procedures will also be 
required for new personnel and to stay 
abreast of new technology. 

Proper installation instructions can 
be obtained from the manufacturer and 
provide an appropriate starting point. 
However, because many manufacturers 
cater to both the high- and low-end secu- 
rity market, it is not uncommon to find 
that some modification of these instruc- 
tions will optimize sensor performance. 
For example, several microwave manu- 
facturers publish literature stating that the 
units will operate at a separation of up to 



300 yards. But at this distance the sensor 
will not detect a crawling intruder. Many 
fence sensor manufacturers also suggest 
using a fence-disturbance sensor around a 
corner, but it is not practical to assess this 
type of a sensor zone. 

Maintenance activities on all sensors 
and associated components must also 
be performed on a periodic basis. Such 
things as calibration, sensitivity checks, 
alignment, and visual inspection should 
be performed regularly to keep the sensor 
components operating as effectively as 
possible. More importantly, poor mainte- 
nance will have a significant effect on P D 
and NAR, and perhaps make the system 
more vulnerable to defeat. Improper 
drainage of a sector may cause erosion 
that ultimately leads to defeat of a sensor. 

In addition to maintenance activities, 
component operational tests should also 
be performed on a regular basis, to assure 
that the sensor element is contributing as 
expected to overall system effectiveness 
(Hay ward, 1993). These tests should be 
done both during the day and at night to 
verify that the sensor still performs as 
expected against the design basis threat. 
Different sensor types will require dif- 
ferent specific tests; however, tests for 
walking and running speeds (slow and 
fast) and crawling tests should be per- 
formed to check sensor operation. Tests 
checking how slowly an object can move 
and avoid detection should also be 
performed. Standardized tests should 
be performed whenever possible. For 
microwave sensors, these tests consist 
of using an aluminum sphere to simulate 
a crawling intruder. This test results 
in more accurate, repeatable results than 
performing actual crawl tests. Another 
standardized test is to measure attenua- 
tion factors for infrared sensors. 

Contingency plans and procedures 
should exist that will be implemented in 
the event that a particular sensor or other 
equipment is lost. These plans should 
clearly define when they will be used: for 
example, when two of the three perimeter 
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sensors are lost. If the contingency plan 
for the loss of one or more sensors in a 
sector is to provide compensatory mea- 
sures, these measures should also be clear. 
In some situations, it may be possible to 
use portable sensors. In other situations, 
the procedure may be to dispatch a guard 
to the sector to provide detection. This 
would be expected at a site with a large 
number of distributed targets. A site with 
a limited set of targets might choose to 
send a guard to the target location. The 
specific procedures should be defined in 
advance and readily available to system 
operators for implementation. 

Once all of the procedures used to 
maintain, test, and operate exterior sen- 
sors are established, documentation 
should be collected, stored, and main- 
tained by site personnel. Required, recom- 
mended, and troubleshooting procedures 
should be included, as well as mainte- 
nance logs for each sensor, training 
records for all employees, and outcomes 
of any unique instances, such as causes of 
any false alarms. 

Summary 

Exterior intrusion detection sensors have 
been discussed in terms of sensor classi- 
fication and application, probability of 
detection, nuisance alarm rate, and vul- 
nerability to defeat. The designer inte- 
grating individual sensors into a 
perimeter sensor system must consider 
specific design goals, the effects of physi- 
cal and environmental conditions, and 
the interaction of the perimeter system 
with a balanced and integrated PPS. 

Security principles incorporated into a 
good exterior-intrusion detection system 
include protection in depth, use of com- 
plementary sensors, elimination of single- 
point failures, and integration of people, 
equipment, and procedures. Desired fea- 
tures include the use of a clear zone, 
proper configuration of sensors in the 
clear zone, alarm combination and prior- 



ity schemes, tamper protection, and self- 
test capability. The design should be 
site-specific and suitable for the physical, 
environmental, and operational condi- 
tions that will be encountered. Finally, the 
exterior sensor subsystem should be well 
integrated with the video and barrier 
subsystems. 

Major sensor component and subsystem 
characteristics include high probability of 
detection, low nuisance alarm rate, and 
low vulnerability to the defined threat. 
Other features include a fast communica- 
tion system for sending and assessing 
alarms, good lighting and assessment 
systems, and a balanced system that pro- 
vides adequate protection on all paths 
through the perimeter. Use of exterior 
perimeter-intrusion detection systems is 
generally found only in high-security 
applications. 

Security Principles 

The performance measures for sensors are 
P D , NAR, and vulnerability to defeat. 

Use of multiple, continuous lines of 
detection provides protection-in-depth. 

Use of complementary sensors, or 
sensors that compensate for each 
other's weaknesses, will increase sys- 
tem performance. 

Single-point or component failures 
should be avoided to maintain balance 
within the system and to reduce the 
chance of successful adversary attack at a 
weak point in a protection layer. 

The perimeter-intrusion detection sys- 
tem should be integrated with the alarm 
assessment and barrier delay systems. 
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Questions 

1. Discuss the following application 
considerations: 

a. Sensors should always be 
installed with proper overlap at 
sector boundary. 

b. If relocation of existing pipes 
or lines is not feasible, then 
additional sensors may be 
required. 

c. Sensors should not be installed 
in locations where assessment 
may be difficult. 

d. A high-security perimeter 
system requires more than a 
single sensor type. 



e. Sensors with the same suscepti- 
bility to nuisance alarms 
should not be combined. 



2. Why is the distinction between 
passive and active sensors 
important? 

3. What are some of the advantages of 
combining sensor inputs in an 
AND configuration? 

4. What are some of the disadvantages 
of combining sensor outputs in an 
AND configuration? 

5. What are some of the advantages 
of using sensor outputs in an OR 
configuration? 

6. What are some of the disadvantages 
of using sensor outputs in an OR 
configuration? 

7. In what situations would a member 
of the protective force (guard) be 
used instead of an exterior intru- 
sion sensor? How effective is detec- 
tion under these conditions and 
why? 

8. Why should field-testing of sensors 
be performed at the site where the 
sensors may be used in a system? 

9. When are false alarms considered 
excessive? 

10. Does a high probability of intrusion 
sensing always imply a high prob- 
ability of detection? 

11. How does surface water cause 
an unreliable condition for micro- 
wave sensors but not infrared 
sensors? 

12. What are some advantages and dis- 
advantages of sensors incorporat- 
ing pattern recognition? 

13. Assume an exterior bistatic micro- 
wave sensor has been tested for a 
running man. The man runs straight 
through the detection volume at 15 
feet per second and is detected 25 
of 28 times. What is the P D for this 
sensor against this attack? Is this 
the value you would use when you 
do your analysis? 
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The design of an interior-intrusion detec- 
tion system requires a thorough knowl- 
edge of the operational, physical, and 
environmental characteristics of the 
facility to be protected. In addition, the 
designer must be familiar with the broad 
spectrum of sensors available, how the 
sensors interact with the adversary and 
the environment, and the physical princi- 
ples on which each of the sensors 
depends for its operation. This chapter 
will address interior-intrusion sensor 
technology. Figure 7.1 shows the example 
interior layout that will be used through- 
out this chapter. 

Interior intrusion sensors, when inte- 
grated into a system using administrative 
procedures, access controls, and material 
monitoring, can be highly effective 
against insider threats. Using interior 
intrusion sensors that are correctly 
placed, installed, maintained, and tested, 
an alarm can be generated by unautho- 
rized acts or the unauthorized presence of 
insiders as well as outsiders. 



Performance Characteristics 

As described in Chapter 6, "Exterior Intru- 
sion Sensor," intrusion sensor perfor- 
mance is described by three fundamental 
characteristics: 

• probability of detection (PD) 

• nuisance alarm rate (NAR) 

• vulnerability to defeat 

An understanding of these characteristics 
is essential for designing and operating 
an effective intrusion detection system. 
Refer to the discussion in Chapter 6 for 
detailed information on performance 
characteristics. 

As with exterior sensors, specific cri- 
teria for measuring the effectiveness of 
interior sensors are required, as in the 
statement, "Devices and equipment used 
in interior-intrusion detection systems 
shall meet the requirements of UL 639 
and shall be functionally tested per estab- 
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lished procedures at a frequency that is 
documented." For example, the statement 
"Volumetric sensors shall detect an indi- 
vidual moving at a rate of 1 foot per 
second or faster within the total field-of- 
view of the sensor" is a clear and mea- 
surable specification for interior sensor 
performance. Additional information on 
performance characteristics specific for 
interior intrusion sensors follows. 

As with exterior sensors, a nuisance 
alarm is any alarm that is not caused by 
an intrusion. Common sources of nui- 
sance alarms for interior sensors include 
electromagnetic, acoustic, thermal, mete- 
orological, seismic, and optical effects 
and wildlife (birds, insects, animals). 
False alarms are those nuisance alarms 
generated by the equipment itself 
(whether by poor design, inadequate 
maintenance, or component failure). Dif- 
ferent types of intrusion sensors have 
different sensitivities to these nuisance 
or false alarm sources, as is discussed in 
detail later in this chapter. 

An interior-intrusion detection system 
is vulnerable to both outsiders and in- 
siders. These terms were fully discussed 



in Chapter 3, "Threat Definition." Because 
insiders have authorized access to an 
area or facility, many perimeter exterior 
sensors are not in the detection path of the 
insider. Interior sensors, on the other 
hand, can still be useful for detecting 
insider theft or sabotage, as well as any 
attacks by outsiders. 

Interior sensors are often placed in 
access mode during regular working 
hours, making them more susceptible to 
tampering by an insider. In many alarm- 
monitoring systems, access mode means 
that the sensor alarms are temporar- 
ily masked so that alarms are not dis- 
played at the alarm-monitoring station. 
An insider among maintenance per- 
sonnel probably has the greatest oppor- 
tunity and the technical skills necessary 
to compromise sensors or the system 
compared to other employees. Vulnerabil- 
ities created by a technically capable 
insider include reducing sensor sensitiv- 
ity, shifting a sensor's coverage area, or 
changing the characteristics of a zone 
area. These actions may not totally 
disable a sensor, but could create a hole 
in detection. 
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Sensor Classification 



There are several ways of classifying 
the types of intrusion sensors. In this dis- 
cussion, the following methods of classi- 
fication are used for interior intrusion 
sensors: 

• passive or active 

• covert or visible 

• volumetric or line detection 

• application 

Active or Passive 

A useful way of looking at interior sensors 
and their interaction with the environment 
is to consider the sensors in two categories: 
active and passive. Active sensors transmit 
a signal from a transmitter and, with a 
receiver, detect changes or reflections of 
that signal. The transmitter and the 
receiver may be separated, in which case 
the installation is called bistatic, or they 
may be located together, in which case the 
installation is called monostatic. The prin- 
cipal point is that these active sensors gen- 
erate a field of energy when the sensor is 
operating, and a very sophisticated adver- 
sary could use this field to detect the pres- 
ence of the sensor prior to stepping into the 
active sensing zone. 

Passive sensors are different from active 
sensors in that they produce no signal 
from a transmitter and are simply re- 
ceivers of energy in the proximity of the 
sensor. This energy may be due to vibra- 
tion (from a walking man or a truck), 
infrared (from a human or a hot object), 
acoustic (sounds of a destructive break- 
in), or from a change in the mechanical 
configuration of the sensor (in the case of 
the simpler electromechanical devices). 
The distinction of passive or active has 
a practical importance. The presence or 
location of a passive sensor can be more 
difficult to determine than that of an 
active sensor; this puts the intruder at 
a disadvantage. In environments with 



explosive vapors or materials, passive 
sensors are safer than active ones because 
no energy that might initiate explosives is 
emitted. 



Covert or Visible 

Covert sensors are hidden from view; 
examples are sensors that are located in 
walls or under the floor. Visible sensors 
are in plain view of an intruder; examples 
are sensors that are attached to a door or 
mounted on another support structure. 
Covert sensors are more difficult for an 
intruder to detect and locate, and thus 
they can be more effective; also, they 
do not disturb the appearance of 
the environment. Another consideration, 
however, is that visible sensors may deter 
the intruder from acting. Visible sensors 
are typically simpler to install and easier 
to repair than covert ones. 

Volumetric or Line Detection 

The entire volume or a portion of the 
volume of a room or building can be pro- 
tected using volumetric motion sensors. 
An advantage of volumetric motion 
sensors is that they will detect an intruder 
moving in the detection zone regardless of 
the point of entry into the zone. 

Forcible entry through doors, windows, 
or walls of a room can be detected using 
line-type sensors. These sensors only 
detect activity at a specific location or 
a very narrow area. Unlike volumetric 
sensors, line sensors only detect an 
intruder if he or she violates a particular 
entry point into a detection zone. 

Application 

Sensors may be grouped by their applica- 
tion in the physical detection space. Some 
sensors may be applied in several ways. 
There are three application classes for 
interior sensors: 
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Figure 7.2 Boundary-Penetration Sensor Location. Boundaries for interior areas are 
usually established by walls, doors, and windows 



• Boundary-penetration sensors detect 
penetration of the boundary to an 
interior area. 

• Interior motion sensors detect 
motion of an intruder within a 
confined interior area. 

• Proximity sensors can detect an 
intruder in the area immediately 
adjacent to an object in an interior 
area or when the intruder touches 
the object. 

Sensor Technology 

In the following discussion of interior 
sensor technologies, the sensors are 
grouped by their application. Excellent 
reviews of interior-intrusion sensor tech- 
nologies have been written by Barnard 
(1988), Cumming (1992), and Rodriguez 
(1991). 

Boundary-Penetration Sensors 

This class of sensors includes vibration, 
electromechanical, infrasonic, capacitance 
proximity, and passive sonic sensors. The 



interior area best protected by bound- 
arypenetration sensors is shown in 
Figure 7.2. This area includes ceilings 
and floors of rooms as well as walls and 
doors. 

Vibration Sensors 

Boundary-penetration vibration sensors 
are passive line sensors and can be either 
visible or covert. They detect the move- 
ment of the surface to which they are fas- 
tened. A human blow or other sudden 
impact on a surface will cause that surface 
to vibrate at a specific frequency deter- 
mined by its construction. The vibration 
frequencies are determined to a lesser 
extent by the impacting tool. 

Vibration sensors may be as simple as 
jiggle switches, or they may be as complex 
as inertial switches or piezoelectric 
sensors. Inertial switches use a metallic 
ball mounted on metal contacts as the 
sensing element. The body of the sensor 
is mounted on the vibrating surface and 
the ball tends to remain stationary relative 
to the surface. As the body of the sensor 
is moved, the inertia of the ball causes the 
ball to momentarily lose contact with the 
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mount, causing an alarm. The vibration 
frequencies detected by an inertial sensor 
are usually 2-5 kHz. The sensing element 
of a piezoelectric sensor is also mounted 
directly on the vibrating surface and 
moves relative to the mass of the sensor 
body. This motion flexes the piezoelectric 
element, causing a voltage output that can 
be processed for the proper combination 
of amplitude, frequency, and duration 
to detect an intrusion. The vibration 
frequencies detected by a piezoelectric 
vibration sensor are 5-50 kHz. 

Glass-break sensors that mount directly 
to the glass are vibration sensors. These 
are specifically designed to generate an 
alarm when the frequencies more nearly 
associated with breaking glass are present. 
These frequencies are normally above 
20 kHz. Active glass-break sensors intro- 
duce a vibration into the protected glass 
(e.g., a window) and listens for the signal 
received by a second transducer located 
elsewhere on the glass. Breaking the glass 
causes the retrieved signal to change and 
generate an alarm. Active glass-break 
sensors are more expensive than other 
glass-break sensors, but their nuisance 
alarm rate is much lower. 

The more recent models of fiber-optic 
intrusion sensors also detect vibration. 
These are passive, line sensors, and can 
be either visible or covert. Fiber-optic 
sensors of this type detect microbending 
of fiber-optic cable. Microbending is 
caused by cable movement or bending, 
even minute movement of the cable such 
as vibration of the surface to which the 
cable is attached. A processing unit that is 
part of the fiber-optic sensor transmits 
light down the cable and also receives the 
light at the other end. Microbending 
causes changes to the light at the receiv- 
ing end, and these changes are detected. 
The processing unit also includes a 
number of user-adjustable parameters 
such as low- and high-frequency filtering, 
amplitude filtering, and pulse duration 
and count. The adjustable parameters aim 
to reduce sensitivity to nuisance sources, 



while maintaining enough sensitivity to 
intrusion activity. However, when propos- 
ing use of a fiber-optic sensor for vibration 
detection, the coincidence of intrusion 
activity frequencies and nuisance source 
frequencies (such as vibrations caused by 
nearby machinery, vehicles, trains, and air 
traffic near airports) must be considered. 
Filtering of the nuisance frequencies is 
possible, but this may also reduce intru- 
sion sensitivity if there are no intrusion- 
induced frequencies beyond the nuisance 
frequencies. 

The primary application advantage of 
vibration sensors is that they provide 
early warning of a forced entry. When 
applying vibration sensors, the designer 
must be aware that the detector might gen- 
erate nuisance alarms if mounted on walls 
or structures that are exposed to external 
vibrations. If the structures are subject 
to severe vibrations caused by external 
sources such as rotating machinery, vibra- 
tion sensors should not be used. However, 
if the structures are subject to occasional 
impacts, vibration sensors with a pulse 
accumulator or count circuit might be 
effective. These circuits will allow a 
limited number of impacts to occur, as 
long as the number remains below a pre- 
determined threshold. 

Electromechanical Sensors 

Electromechanical sensors are passive, 
visible, line sensors. The most common 
type is a relatively simple switch gener- 
ally used on doors and windows. Most of 
these switches are magnetic switches, 
which consist of two units: a switch unit 
and a magnetic unit. Figure 7.3 shows a 
magnetic reed switch and its components 
in the closed and open positions. 

The switch unit, which contains a mag- 
netic reed switch, is mounted on the sta- 
tionary part of the door or window. The 
magnetic unit, which contains a perma- 
nent magnet, is mounted on the movable 
part of the door or window, adjacent to the 
switch unit. With the door or window 
closed, the spacing between the switch 
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(Door Closed) 
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Figure 7.3 Simple Magnetic Switch. 
When the door is closed, the magnet 
holds the switch closed. When the door 
opens, the magnetic field is removed, the 
switch opens, and it generates an alarm 



unit and magnet unit is adjusted so that 
the magnetic field from the permanent 
magnet causes the reed switch to be in the 
closed (or secure) position. A subsequent 
opening of the door or window (removal 
of the magnet) results in the decrease of 
the magnetic field at the switch, causing 
movement of the switch to the open (or 
alarm) position. Placing a strong magnet 
near the switch unit and forcing the 
switch to the secure position, allowing 
undetected access through the door, easily 
defeats these switches. 

An additional bias magnet in the switch 
unit that can be adjusted to help prevent 
defeat is also available. Magnetic sensors 
with bias magnets are generally referred 
to as balanced magnetic switches (BMS). 
Other variations include multiple reed 
switches and multiple magnets; fusing 
and voltage breakdown sensing devices; 
and shielded case construction. Some 
units incorporate internal electromagnets 
for self-testing, which have complex inter- 
actions with the switch units, increasing 
the complexity of the unit and decreasing 
its vulnerability to defeat. 

BMSs provide a higher level of protec- 
tion for doors and windows than either 
magnetically or mechanically activated 
contacts or tilt switches. However, the 
protection is only as good as the penetra- 
tion resistance of the door or window. 



These sensors are only adequate if the 
intruder opens the door or window for 
entry. If the intruder cuts through the 
door, the BMS will be bypassed. Sample 
design criteria for a BMS might be, "a 
BMS shall initiate an alarm whenever the 
door is moved 1 inch or more from the 
jamb ... A BMS shall NOT initiate an 
alarm for door movements of V 2 inch 
or less." 

A relatively new type of magnetic 
switch is known as a Hall effect switch. 
This switch is totally electronic without 
mechanical reed switches. It contains 
active electronics and requires power. It is 
intended to provide a higher level of secu- 
rity than the balanced magnetic switches. 
Similar to other magnetic switches, it con- 
sists of a switch unit and a magnetic unit. 
Operation of the switch is based on Hall 
effect devices in the switch unit that 
measure and monitor the magnetic field 
strength of the magnetic unit. The Hall 
effect is a phenomenon that occurs when 
a current-carrying wire (or metallic strip) 
is exposed to an external magnetic field. 
In this state, the magnetic field causes 
charge carriers to be accelerated toward 
one side of the wire, resulting in a charge 
separation across the wire. The amount 
and polarity of the charge separation is 
proportional to the magnetic field strength 
and magnetic polarity. The separation of 
charge in the wire is called the Hall effect. 
The amount of charge can be measured 
across the sides of a metallic strip. In the 
Hall effect switch, if significant enough 
magnetic field changes occur as measured 
by the Hall effect devices, an alarm con- 
dition is generated. Both the BMS and 
Hall effect sensors provide better protec- 
tion against insider tampering and defeat 
than does the simple magnetic switch. 
The Hall effect switch also provides 
increased tamper and defeat protection 
over the BMS. An insider will be required 
to be more knowledgeable as the sensor 
technology progresses from simple mag- 
netic switch to BMS and then to Hall 
effect. 
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Another electromechanical sensor, the 
continuity or breakwire sensor, is usually 
attached to or enclosed in walls, ceilings, 
or floors to detect penetration through 
many types of construction materials. The 
sensor consists of small electrically con- 
ductive wires and electronics to report an 
alarm when the conductor is broken. The 
wires can be formed in any pattern to 
protect areas of unusual shape. Printed 
circuit technology can be used to fabricate 
continuity sensors if desired. 

Breakwire grids and screens can be 
used to detect forcible penetrations 
through vent openings, floors, walls, 
ceilings, locked storage cabinets, vaults, 
and skylights. Nuisance alarm rates for 
this class of sensor are very low since the 
wire must be broken to initiate an alarm. 
Breakwire sensors should be electrically 
supervised to decrease the chances of 
tampering. Since these sensors require a 
break or cut to detect, they can be defeated 
through the use of a jumper around a cut 
or by movement of the wire to allow pen- 
etration. Another version of a breakwire 
sensor uses optical fibers instead of elec- 
trical wire. The principle is the same — the 
optical fiber must be broken or damaged 
enough to stop or significantly reduce 
light transmission. These are considered 
fiber-optic intrusion sensors, but are very 
different and much simpler than the fiber- 
optic intrusion sensors described earlier 
under vibration sensors. 

Capacitance Sensors 

Capacitance sensors are most commonly 
proximity type sensors; however, they 
can be applied for boundary penetration 
detection. They establish a resonant elec- 
trical circuit between a protected metal 
object and a control unit, making them 
active sensors. The capacitance between 
the protected metal object and a ground 
plane becomes a part of the total capaci- 
tance of a tuned circuit in an oscillator. 
The object to be protected is electrically 
isolated from the ground plane. The 
capacitive dielectric is usually the air that 



surrounds, or is between, the protected 
object and the ground plane. The tuned 
circuit may have a fixed frequency of 
oscillation, or the oscillator frequency 
may vary. 

Oscillators whose frequency is fixed 
have an internally adjustable capacitance, 
which is used to compensate for different 
capacitive loads. A loop of wire, known as 
the protection loop, is connected between 
the conductive object or objects to be 
protected and the control unit, which 
contains the tuned circuit. Once the con- 
nection is made, the circuit is adjusted to 
resonance. Then any change in capaci- 
tance within the protection loop (which 
now includes the metal objects to be pro- 
tected) will disturb the resonance condi- 
tion, thereby causing an alarm. Humans 
very close to or touching the protected 
object will change the capacitance of the 
protection loop. Alarms can be generated 
by a person being very close or actually 
touching the object based on the sensitiv- 
ity settings of the control unit. 

Infrasonic Sensors and Passive 
Sonic Sensors 

Infrasonic sensors are a class of intrusion 
sensors that operate by sensing pressure 
changes in the volume in which they are 
installed. A slight pressure change occurs 
whenever a door leading into a closed 
room is opened or closed, for example. 
The sound pressure waves thus generated 
have frequencies below 2 Hz. They are 
passive sensors that can be centrally 
located in a building some distance from 
exit doors. Air blowing into the closed 
volume can cause nuisance alarms with 
an infrasonic sensor. These sensors are 
best used in environments where there is 
only occasional access, such as a storage 
area. 

Passive sonic sensors are passive, 
covert, volumetric sensors. They are one 
of the simplest intrusion detectors, using 
a microphone to listen to the sounds 
generated in the area within range of 
the microphone. If sounds of the correct 
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amplitude, frequency content, and dura- 
tion or repetition rate corresponding to a 
destructive penetration are heard, an 
alarm is generated. It is possible to make 
the sensor respond only to frequencies in 
the ultrasonic frequency range. This kind 
of sensor is then termed a passive ultra- 
sonic sensor. Passive sonic sensors have 
limited effectiveness and are seldom used 
anymore. There are some applications, 
such as in bank vaults, where they may 
still be in use. 

Active Infrared Sensors 

Active infrared (IR) sensors are active, 
visible, line sensors. These sensors estab- 
lish a beam of infrared light using an 
infrared light source or sources (mated 
with appropriate lenses) as the transmit- 
ters and photodetectors for receivers. 
Several transmitters and receivers are 
usually employed to provide a system 
with multiple beams, and the beams are 
usually configured into a vertical infrared 
fence. A pulsed, synchronous technique 
may be used to reduce interference and 
the possibility of defeat by other sources 
of light. Infrared light is invisible to the 
human eye. 

The narrow vertical plane in which this 
sensor operates does not provide any sig- 
nificant volume coverage, and the PPS 
designer must carefully consider its 
installation in order to avoid easy defeat 
or bypass. These sensors can also be used 
over short ranges in applications for 
filling gaps, such as for gates, doors, and 
portals. They may also be used in appli- 
cations with long ranges up to about 100 
meters. To reduce the vulnerability of an 
intruder bypassing the active IR sensor, 
at least two detectors should be installed 
to form a barrier. Mirrors also can be 
installed to reflect the IR beam back and 
forth to form a fence-like pattern across an 
entrance. 

Active IR sensors are susceptible to 
several nuisance alarm sources. Smoke 
and dust in the air can scatter the beam 
until, depending on the density of the 



particles, the energy at the receiver is 
reduced to a level that causes the sensor 
to initiate an alarm. Falling objects, small 
animals, or anything that could interrupt 
the IR beam long enough can cause 
an alarm. 

Fiber-Optic Cable Sensors 

These sensors are passive line detectors 
and can be either visible or covert. They 
can be applied as either a boundary pen- 
etration or a proximity sensor. A fiber- 
optic sensor typically consists of a length 
of fiber-optic sensing cable and an alarm 
processor unit. Both ends of the fiber are 
usually connected to the processor unit, 
which has a light source, a light receiver, 
and signal alarm processing electronics. 
One of the major advantages of a fiber- 
optic cable is its immunity to radio and 
electromagnetic frequencies, and to 
changes in temperature and humidity. 
Fiber-optic sensors can be separated 
into two major categories: continuity- 
type sensors and microbend-type sensors. 

A fiber-optic continuity sensor is pri- 
marily sensitive to damage or breaks in 
the fiber loop, which causes a severe loss 
of signal amplitude at the receiver. The 
signal alarm processor detects the loss 
of signal and then initiates an alarm. 
Schemes such as time-of-flight techniques 
and synchronous detection, which are 
based on injecting pulses of light into the 
fiber, may recognize attempts to splice or 
bridge portions of the optical fiber. 

A microbend fiber-optic sensor is sensi- 
tive to both applied pressure and move- 
ment of the cable. Pressure and movement 
cause microbends in the fiber cable, 
which are detected. There are two tech- 
niques being implemented by the various 
brands of fiber-optic sensors for detection 
of microbending, including speckle 
pattern and interferometry. The speckle 
pattern technique utilizes multimode 
fiber-optic cable through which light 
travels in many different paths. Be- 
cause of the many paths, light at the end 
of the cable appears as a speckle pattern 
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of light and dark patches when focused 
onto a detector surface. When the cable is 
stationary, the pattern is stationary; when 
microbending occurs, the speckle pattern 
changes. A photodiode detector converts 
the changes to electrical signals. Single- 
mode fiber is used with the interfer- 
ometry technique. Wavelength-division 
multiplexing is employed using a beam- 
splitter, which generates multiple light 
signals at different wavelengths to travel 
down the same fiber in opposite direc- 
tions. When pressure is applied to the 
fiber cable, changes to the interference 
between the signals occur. These changes 
are detected and converted to electrical 
signals for processing. 

With either technique, the alarm 
processor performs electrical signal- 
processing of the microbending events 
that occur along a fiber sensor cable. The 
processing is aimed at detecting intruder 
movement and rejecting nuisance alarm 
sources. The amount of processing 
varies among the different models. Exam- 
ples of the processing are sensitivity and 
threshold levels, event counting, event 
timing, and low- and high-pass frequency 
filtering. 

The sensing area covered by a fiber- 
optic sensor depends on how the cable is 
laid out or arranged and the maximum 
length of cable supported by the fiber 
processor. Systems currently being offered 
can support in the ranges of 1,000 to 2,000 
yards of sensor cable, depending on the 
system. 

When properly installed, fiber optics 
used as continuity sensors are a reliable 
means of intrusion detection as a struc- 
tural boundary penetration sensor. These 
sensors depend on severe cable damage or 
breakage for detection. The cable needs to 
be installed so that it will be damaged or 
broken when surfaces such as the walls 
or ceiling of a building are being cut or 
broken through. Fiber-optic microbend 
sensors are a newer technology than 
the continuity type. Possible interior 
applications include installation in walls, 
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Figure 7.4 Interior Volume Protection 
Area for Motion Sensors. Volume protec- 
tion can detect an intruder regardless of 
the point of entry 

ceilings, or doors, or under carpets (Vigil, 
1994; Sandoval and Malone, 1996). One 
advantage of using a fiber-optic micro- 
bend sensor over a continuity sensor is 
that a microbend sensor can give earlier 
warning that an intrusion is being at- 
tempted. For example, when used in pro- 
tecting a wall the sensor can detect the 
vibrations caused by the intrusion 
attempt. 



Interior Motion Sensors 

Sensors that use several different types 
of technology fall into this category of 
motion sensors. Figure 7.4 shows the inte- 
rior areas best suited to motion sensors. 

Microwave Sensors 

Microwave sensors are active, visible, vol- 
umetric sensors. They establish an energy 
field using energy in the electromagnetic 
spectrum, usually at frequencies on the 
order of 10 GHz. Interior microwave 
motion sensors are nearly always in the 
monostatic configuration with a single 
antenna being used both to transmit and 
receive. Intrusion detection is based on 
the Doppler frequency shift between the 
transmitted and received signal caused by 
a moving object within the energy field. 
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Figure 7.5 Typical Microwave Detection 
Patterns. The detection pattern varies 
based on antenna design 



The Doppler shift requires a sufficient 
amplitude change and duration time to 
cause an alarm. In practical terms, this 
means that the microwave transmitter 
sends out a known frequency and if a 
higher or lower frequency is returned to 
the receiver, this is an indication that a 
target is moving closer or further away 
from the sensor. Due to this operating 
principle, optimum detection for micro- 
wave sensors is achieved when the target 
is moving towards or away from the 
sensor, not across the detection zone. 
Placement of microwave sensors should 
then be made so that the adversary is 
forced to move in this manner. 

The shape of the detection zone is gov- 
erned by the design of the antenna and is 
roughly similar to an elongated balloon. 
The antenna is typically a microwave 
horn but may be a printed circuit planar 
or phased array. Figure 7.5 shows a typical 
relationship between the antenna and 
pattern shape. It should be noted that 
these patterns are approximate; a truer 
representation of a microwave detection 
pattern is shown in Figure 7.6. The dif- 
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Figure 7.6 True Microwave Detection 
Pattern. The actual pattern has places 
where the pattern is not perfectly 
symmetrical 



ferences in the typical pattern and the true 
pattern should be considered when using 
microwave sensors. If the target to be pro- 
tected or the critical area falls within the 
concave portion of the true pattern, the 
sensor can be defeated. 

This pattern feature is desirable if the 
sensor is to be used at a location where 
the microwave energy can penetrate 
beyond the walls of the area or room being 
protected. Microwave energy will readily 
penetrate most glass, as well as plaster, 
gypsum, plywood, and many other ma- 
terials used in normal wall construction. 
Such penetration can cause unwanted 
interference with effective sensor opera- 
tion. Metal objects, such as large book- 
cases or desks and screens or fencing 
within the protected area, can cause 
shadow zones and incomplete coverage. 
On the other hand, metal objects reflect 
the microwave energy, which can result in 
improved detection in an area that might 
be considered a shadow zone. 

The fact that microwave energy can 
penetrate walls has both advantages and 
disadvantages. An advantage occurs when 
an intruder is detected by the microwave 
energy penetrating partitions within a 
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protected volume; but detecting someone 
or something moving outside the pro- 
tected area, or even outside the building, 
is then a disadvantage and would cause 
a nuisance alarm. Because microwave 
energy is difficult to contain, special care 
should be taken when locating and direct- 
ing the energy within the area requiring 
protection. 

Other advantages of microwave detec- 
tors include: 



Invisible and inaudible detection 
pattern 

Reliable low maintenance device 
Low cost for area of coverage 
High probability of detection 
Immune to high air turbulence, tem- 
perature and humidity changes 
Variety of detection patterns 
available 



For all of their good qualities, there 
are a few disadvantages to the use of 
microwave sensors, in addition to those 
described above. These are: 

• Require a completely rigid mounting 

• Susceptible to pattern drift 

• Tendency to reflect off metallic 
objects 

• Extra considerations are required 
when considering installing in an 
area with light construction (glass, 
plaster board, wood) 

Monostatic microwave devices can also 
be used as point sensors to provide 
limited coverage of a point or area in 
which other sensors may provide inade- 
quate coverage or may be vulnerable to 
tampering. A common commercial appli- 
cation of monostatic microwave sensors is 
the automatic door openers used in super- 
markets and airports. 

Microwave detectors should be mount- 
ed high, near the ceiling of the area being 
protected. They should be aimed in the 
direction of desired coverage, yet pointed 
away from metal objects that might reflect 



microwave energy and cause nuisance 
alarms. Multiple microwave sensors used 
within the same area must be set at dif- 
ferent frequencies. Sensors at the same 
frequency will interfere with each other 
and cause continual nuisance alarms. 
Some manufacturers offer microwave 
sensors with different operating frequen- 
cies. Common sources of nuisance alarms 
for microwave sensors include movement 
of objects (i.e., nonhuman) within and 
outside the detection zone, small animals 
or birds, and vibration due to poor sensor 
installation and mounting. The ionized 
gas in fluorescent lights can reflect 
microwave energy. This can cause nui- 
sance alarms due to the 60 Hz rate of the 
ionization, so fluorescent lights should 
not be within the detection area of a 
microwave sensor. Some models have 
filters that will ignore the Doppler shift 
created by fluorescent lights. Microwave 
sensor vulnerabilities include slow- 
moving targets, absorption or reflection of 
the microwave energy, blockage of the 
field of view (such as stacking boxes or 
moving furniture around in a room), and 
motion along the circumference of the 
detection pattern. 



Ultrasonic Sensors 

Ultrasonic sensors are active, visible, vol- 
umetric sensors. They establish a detec- 
tion field using energy in the acoustic 
spectrum typically in the frequency 
range between 19 and 40 kHz. Ultrasonic 
sensors may be monostatic, and as is the 
case with monostatic microwave sensors, 
detection is based on the frequency shift 
between the transmitted and received 
signal caused by the Doppler effect from 
a moving object in the beam. The magni- 
tude and range of the frequency shift 
depend on the moving target's size, veloc- 
ity, and direction. The shape of the detec- 
tion zone is similar to the monostatic 
microwave sensor detection zone, but the 
effective shape can be changed by the 
installation of deflectors. 
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Most common solid materials such as 
walls, cardboard, and windows will stop 
or deflect ultrasonic waves. Large objects 
in a protected volume, such as bookcases, 
desks, and partial wall partitions, will 
create shadow zones. Coverage of a 
volume by several of the sensors can 
usually overcome this problem. 

A feature of ultrasonic energy is that it 
will not penetrate physical barriers such 
as walls; therefore, it can be easily con- 
tained in closed rooms. Since acoustical 
energy will not penetrate physical bar- 
riers, the walls of the protected room will 
either absorb or reflect the energy. 
Because most walls absorb very little 
ultrasonic energy unless they are covered 
with a very soft material, such as heavy 
drapes, most of the energy is reflected. 
This reflected energy helps fill the detec- 
tion zone, making it more difficult for an 
intruder to escape detection. 

Mechanically produced stimuli such as 
air turbulence or miscellaneous acoustic 
energy sources within the protected zone 
can cause nuisance alarms. Air turbulence 
from heating or air conditioning ducts, 
drafts, and so on, can reduce the effec- 
tiveness by limiting the coverage of ultra- 
sonic sensors, and at the same time, cause 
nuisance alarms. Acoustic energy gener- 
ated by ringing bells and hissing noises, 
such as the noises produced by leaking 
radiators or compressed air, contains fre- 
quency components in the operating fre- 
quency band of ultrasonic sensors. These 
sources of ultrasonic energy sometimes 
produce signals similar to an intruder that 
can confuse the signal processor and 
cause nuisance alarms. 

Another environmental condition that 
can affect ultrasonic sensor performance 
is the climate within the protected area. 
Appreciable changes in the relative 
humidity can change the detector's sensi- 
tivity until, in some installations, a sensor 
can become overly sensitive to the envi- 
ronment, which could cause nuisance 
alarms. Ultrasonic sensors may also be 
bistatic, and detection is based on a com- 



bination of Doppler effect and signal 
amplitude variation. In a bistatic installa- 
tion, receivers and transmitters are placed 
(usually on the ceiling) to obtain the 
desired coverage. Individual receivers 
will have range adjustments. Other char- 
acteristics will be similar to monostatic 
ultrasonic sensors. 

Active Sonic Sensors 

Sonic sensors are active, visible, and vol- 
umetric. They establish a detection field 
using energy in the acoustic spectrum at 
frequencies between 500 and 1,000 Hz. 
These units can be used in monostatic, 
bistatic, or multistatic modes of operation. 
Since a much lower frequency is trans- 
mitted, good reflections are obtained, and 
standing waves will be established in the 
protected volume even in the monostatic 
configuration. For proper operation, it is 
necessary to establish standing waves to 
prevent drastic reduction of the detection 
range. 

The frequencies used for these sensors 
are well within the hearing range of the 
human ear and are quite unpleasant to the 
listener. Further, in addition to a remote 
alarm indication, one of these sensors will 
give an electronic siren type of alarm 
varying between 350 and 1,100 Hz at 3 
cycles per second for 90 seconds. This 
audible alarm can be adjusted in audio 
level up to 135 dB. For this reason, they 
are seldom found in normal operating 
environments where there is significant 
human activity or interaction. 

Passive Infrared Sensors 

Passive infrared (PIR) sensors are visible 
and volumetric. This sensor responds to 
changes in the energy emitted by a human 
intruder, which is approximately equal to 
the heat from a 50-watt light bulb. They 
also have the capability to detect changes 
in the background thermal energy caused 
by someone moving through the detector 
field of view and hiding in the energy 
emanating from objects in the background 
if there are sufficient differences in 
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the background energy. These systems 
typically employ special optical and 
electronic techniques that limit their 
detection primarily to an energy source 
in motion; therefore, reliance on back- 
ground energy change for detection is 
discouraged. 

There are four major characteristics 
of infrared radiation. First, all objects 
emit infrared radiation. The intensity 
of the infrared is related to the object's 
temperature. Second, infrared energy is 
transmitted without physical contact 
between the emitting and receiving sur- 
faces. Third, infrared warms the receiv- 
ing surface and can be detected by any 
device capable of sensing a change in 
temperature. Fourth, infrared radiation 
is invisible to the human eye. PIR 
sensors respond to infrared energy in the 
wavelength band between 8 and 14 
nanometers (nm). 

The passive infrared sensor is a ther- 
mopile or pyroelectric detector that 
receives radiation from the intruder and 
converts this radiation into an electrical 
signal. The signal is then amplified and 
processed through logic circuits, which 
generally require that the source of radia- 
tion move within the field of view of the 
sensor. If the signal is strong enough and 
the required movement occurs, an alarm 
is generated. Detection is based on the 
difference in temperature between the 
intruder and the background and is 
referred to as the minimum resolvable 
temperature (MRT). Some manufacturers 
specify an MRT as low as 1°C. 

A pyroelectric detector is based on the 
fact that certain dielectric materials of low 
crystal symmetry exhibit spontaneous 
dielectric polarization. When the electric 
dipole moment occurs is dependent on 
the temperature at which the material 
becomes pyroelectric. Through the use of 
segmented parabolic mirrors or Fresnel 
lens optics, infrared energy is focused 
onto the pyroelectric detector. These 
optics provide a single long conical field 
of view or a multiple segment field of 
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Figure 7. 7 Passive Infrared Sensor Multi- 
segment Detection Zones. As a person 
passes across the detection segments, 
each segment will detect an increase or 
decrease in temperature, which will 
trigger an alarm 



view. Long single-segment sensors are 
used to protect corridors, and those with 
multisegments are used to protect large 
open areas. Figure 7.7 shows a represen- 
tation of the detection zones present in a 
multisegment sensor. As with microwave 
sensors, it should be noted that the detec- 
tion pattern is not a perfect shape, so 
caution should be used when placing 
these devices. In addition, due to the 
operating principles of the device, a PIR 
will be most effective if the target is forced 
to cross the detection pattern, thereby 
entering and exiting multiple detection 
segments over a period of time. Figure 7.8 
shows the true detection pattern of a PIR 
sensor determined via testing. 

Birds and small flying insects can cause 
nuisance alarms with passive infrared 
sensors. Birds flying near the sensor can 
block the background energy from the 
thermal sensors, and if the birds' motions 
satisfy the alarm criteria, the result is a 
nuisance alarm. An insect crawling on the 
lens can cause large temperature changes, 
also resulting in a nuisance alarm. 
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Figure 7.8 True Passive Infrared Detec- 
tion Pattern Determined by Testing. The 
pattern has some concave spots, which 
may create holes in the detection coverage 



Infrared energy does not penetrate most 
building materials, including glass, and 
therefore sources of infrared energy that 
are located outside buildings will not typ- 
ically generate nuisance alarms. Nuisance 
alarms can be generated indirectly, 
however, from sources outside the build- 
ings due to local heating effects. For 
example, while glass and Plexiglas® 
window materials are effective filters for 
infrared energy in the wavelength region 
of interest (8 to 14 nm), sunlight passing 
through windows can produce locally 
heated surfaces that can radiate energy in 
this band. 

Infrared sensors should be located away 
from any heat sources that could produce 
thermal gradients in front of the sensor's 
lens. In addition, heat sources within the 
sensor's field of view should be avoided. 
For instance, an infrared detector should 
never be mounted over or near radiators, 
heaters, hot pipes, or other heating ele- 
ments. Radiant energy from these sources 
can produce thermal gradients in the view 
of the detector's lens that might change 
the background energy pattern. Depend- 
ing on the intensity of the heat source, the 
thermal gradients might cause nuisance 



alarms. An unshielded incandescent light 
that is within 3 to 5 yards of the sensor 
might also cause an alarm if it burns out 
or goes out due to loss of power. 
PIRs offer several advantages, including: 

• Totally passive device 

• Well-defined detection zones 

• No interaction between multiple 
devices 

• Low to moderate cost 

• Relatively few nuisance alarms 

The disadvantages of PIRs include: 

• Moderate vibration sensitivity 

• Sensitivity changes with room 
temperature 

• It is a line-of-sight device and the 
field-of-view is easily blocked 

• Sources of rapid temperature change 
are potential nuisance alarm sources 



Dual-Technology Sensors 

This sensor is active and passive, visible, 
and volumetric. This sensor type attempts 
to achieve absolute alarm confirmation 
while maintaining a high probability of 
detection. Absolute alarm confirmation is 
ideally achieved by combining two tech- 
nologies that individually have a high 
probability of detection and no common 
nuisance alarm-producing stimuli. Cur- 
rently available dual-channel motion 
detectors (dual-technology) combine 
either an active ultrasonic or microwave 
sensor with a passive infrared sensor. 
When used in combination, alarms from 
either the active ultrasonic or microwave 
sensor are logically combined with the 
alarms from the infrared sensor in an 
AND-gate logic configuration. The AND 
gate logic requires nearly simultaneous 
alarms from both the active and passive 
sensors to produce a valid alarm. 

Dual-technology sensors usually have a 
lower nuisance alarm rate than single 
technology sensors — when the detectors 
are properly applied and assuming each 
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has a low nuisance alarm rate. But it is 
important to understand that when two 
sensors are logically combined using an 
AND gate, the probability of detection of 
the combined detectors will be less than 
the probability of detection of the indi- 
vidual detectors. For instance, if an ultra- 
sonic sensor has a probability of detection 
of 0.95, and it is combined with an 
infrared detector that also has a probabil- 
ity of detection of 0.95, the dual sensor 
has the product of the individual proba- 
bilities of detection, or only 0.90. Also, 
ultrasonic and microwave detectors have 
the highest probability of detecting motion 
directly toward or away from the sensor, 
but infrared sensors have the highest 
probability of detecting someone moving 
across the field of view. Therefore, the 
probability of detection of the combined 
sensors in a single unit will be 
less than if the individual detectors are 
mounted perpendicular to each other 
with overlapping energy patterns and 
field-of-view. To optimize the probability 
of detection for combined sensors, 
separately mounted, logically combined 
sensors are recommended. For high-secu- 
rity applications, a single dual-technology 
sensor should never be used in place of 
two separately mounted sensors. If dual- 
technology sensors are to be used, multi- 
ple sensor units should be installed, with 
each unit offering overlap protection of 
the other. 

Video Motion Detection 

A video motion detector (VMD) is a 
passive sensor that processes the video 
signal from a CCTV camera. A single 
camera installed to view the scene of 
interest can be jointly utilized for detec- 
tion, assessment, and surveillance. Gener- 
ally speaking, there are two types of 
VMDs: analog and digital. Analog VMDs 
are the older technology. This type moni- 
tors the camera signal and detects changes 
in brightness in the video scene. The size 
of this detection area can usually be 
varied over a wide range as a percentage 



of total camera field-of-view. A change is 
detected when the brightness is either 
higher or lower than a stored reference. 
An external alarm is generated at the time 
of the change or after additional condi- 
tions (such as time) are satisfied. Once an 
alarm is generated, the section where 
detection has occurred is highlighted on 
the CCTV monitor. Analog VMDs are less 
expensive than digital VMDs. 

Digital VMDs are more sophisticated 
than analog VMDs and have allowed 
broader use of VMD because of their 
ability to reduce nuisance alarms. Digital 
VMDs convert the camera signal into a 
digitized format so that digital processors 
can be used for video signal processing. 
Generally, these VMDs divide a video 
scene into numerous zones, elements, or 
cells, with each cell processed separately. 
The cells are monitored for the amount of 
change in brightness or contrast, logical 
movement across adjacent cells, speed of 
motion across cell areas, size of objects 
within cells, and global changes across 
most or all cells. This processing allows 
much improved distinction between 
intruder movement and nuisance alarm 
sources. Interior use of digital VMDs can 
be effective with careful consideration of 
all nuisance sources within the area, 
proper lighting, and good cameras and 
video transmission equipment. Interior 
nuisance sources for VMDs include 
insects on or flying near the camera lens, 
flickering lights, pets, birds, and rats. 

The assessment camera is an integral 
part of a VMD sensor. Camera character- 
istics affect both detection capability 
and nuisance alarm rate. A low-contrast 
output from a camera reduces detection 
capability. High noise levels from a 
camera can cause nuisance alarms. 
Enough light is required for proper opera- 
tion of CCTV cameras, and the light must 
be uniform to avoid excessively dark or 
light areas. 

Because a VMD detects changes in the 
video brightness level, any change can 
cause an alarm. Flickering lights, camera 



102 



Design Physical Protection System 



movements, and other similar movements 
can lead to excessively high nuisance 
alarm rates. Also, very slow movement 
through the detection zone can defeat 
most VMDs. 

Many VMDs are effective for interior 
use, because nuisance alarm sources like 
snow, fog, traffic flow, and clouds are not 
present. Performance tests should be com- 
pleted on any VMD prior to installation in 
a facility. Tests should be performed with 
a low-profile target, such as a crawler, and 
with higher velocity and profile targets, 
such as people walking or running. 
These tests should be performed under 
the lowest contrast lighting condition 
expected. Vigil (1993) has written an 
excellent evaluation of a number of com- 
mercially available interior VMDs. The 
following factors should be also be con- 
sidered before selecting a VMD: 

• Consistent, controlled lighting (no 
flickering) 

• Camera vibration 

• Objects that could cause blind areas 

• Moving objects such as fans, cur- 
tains, and small animals 

• Changing sunlight or shadows enter- 
ing through windows or doors 



Proximity Sensors 

This class of sensors includes capacitance 
and pressure sensors. Figure 7.9 shows 
the interior areas best protected by prox- 
imity sensors. 

Capacitance Proximity Sensors 

Capacitance proximity sensors are active, 
covert line sensors. They can detect 
anyone either approaching or touching 
metal items or containers that the sensors 
are protecting. These sensors operate on 
the same principle as electrical capacitors. 
A capacitor is an electronic component 
that consists of two conductor plates sepa- 
rated by a dielectric medium. A change in 
the electrical charge or dielectric medium 




Figure 7.9 Proximity Sensor Areas. Prox- 
imity sensors are placed near or on an 
asset to provide detection 



results in a change in the capacitance 
between the two plates. In the case of the 
capacitance proximity sensor, one plate is 
the metal item being protected, and the 
second plate is an electrical reference 
ground plate under and around the pro- 
tected item. The metal item in this 
application is isolated from ground by 
insulating blocks. This leaves only air 
around and between the metal object and 
ground, so air is the dielectric medium. 

Variable frequency oscillators use a 
phase-locked loop and use the correction 
voltage for sensing. This type of capaci- 
tance proximity sensor generally balances 
itself in a short time (usually less than two 
minutes) after being connected to the con- 
ductive metal object to be protected. Once 
the sensor is balanced, any change in 
capacitance between the object to be pro- 
tected and ground will disturb the balance 
condition, thereby causing an alarm. 
Capacitance proximity sensors are oper- 
ated at frequencies below 100 kHz and can 
often be set to detect capacitance changes 
of a few picofarads. 

During operation, the metal object is 
electrically charged to a potential that 
creates an electrostatic field between the 
object and reference ground. The electri- 
cal conductivity of an intruder's body 
alters the dielectric characteristic as the 
intruder approaches or touches the object. 
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Figure 7.10 Depiction of Capacitance 
Proximity Sensor for Safe and File 
Cabinet. Isolating all of the pieces from 
ground on one side and connecting them 
to the sensor, which has a ground con- 
nection, sets up a dielectric field. If the 
field is disturbed by entry of a person, an 
alarm is triggered 

The dielectric change results in a change 
in the capacitance between the protected 
item and the reference ground. When the 
net capacitance charge satisfies the alarm 
criteria, an alarm is activated. Figure 7.10 
illustrates a typical arrangement for con- 
necting a capacitance proximity sensor to 
a safe or file. 

For applications where the object to be 
protected must be grounded, the object 
can be considered the ground plane. This 
requires the fabrication of a capacitance 
blanket for draping over the protected 
object as shown in Figure 7.11. If the 
blanket is made large enough to cover the 
object entirely, any access attempts will 
cause blanket movement, capacitance 
change, and alarm. This can also be useful 
to keep the object out of plain sight, as for 
some classified components or propri- 
etary equipment. 

The sensitivity of capacitance sensors is 
affected by changes in relative humidity 
and the relocation of other metal objects 
closer to or away from the protected item. 
Changes in the relative humidity vary 
the dielectric characteristics, which can 
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Figure 7.11 Capacitance Blanket Proxim- 
ity Sensor. The sensor detects any move- 
ment of the blanket, which disturbs the 
capacitive field and triggers an alarm. 
This application will also keep the object 
out of plain sight 

either increase or decrease the air con- 
ductivity. Capacitance sensors use a self- 
balancing circuit to adjust automatically 
to the change in relative humidity and 
relocation of metal objects close to the 
protected object. If the sensor's sensitivity 
is adjusted to detect an intruder several 
meters from the object, this change in con- 
ductivity could be enough to initiate a 
nuisance alarm. 

Sometimes objects requiring protection 
are located in areas with poor grounding 
conditions. In such places, a reference 
or ground plane can be established by 
installing a metal sheet or screen under 
the object. The use of wooden blocks to 
isolate the protected metal object from the 
ground plane should be avoided. Wooden 
blocks might absorb enough moisture over 
a period of time to change the dielectric 
enough that the protective object is no 
longer isolated from ground, resulting in 
nuisance alarms. Hard rubber material, 
similar to a hockey puck, has been found 
to be a very effective insulator in this 
application. 

Pressure Sensors 

Pressure sensors, often in the form of 
mats, can be placed around or underneath 
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Table 7.1 Classification of Interior Sensors. 





Passive or 
Active 


Covert or 
Visible 


Volumetric or 
Line 


Boundary-Penetration Sensors 








Electromechanical 
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C/V 
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Infrared 


B* 
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Vibration 


P 
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Capacitance 


P 
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Fiber-Optic Cable 


P 
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Interior Motion Sensors 








Microwave 
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Ultrasonic 
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Sonic 
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Passive Infrared 
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V 


Proximity Sensors 








Capacitance 


A 


c 


L 


Pressure 


P 


c 


L 










* Both active and passive types exist 









an object. These sensors are passive, 
covert, line detectors. Pressure mats 
consist of a series of ribbon switches posi- 
tioned parallel to each other along the 
length of the mat. Ribbon switches are 
constructed from two strips of metal in 
the form of a ribbon separated by an insu- 
lating material. They are constructed so 
that when an adequate amount of pres- 
sure, depending on the application, is 
exerted anywhere along the ribbon, the 
metal strips make electrical contact and 
initiate an alarm. 

When using pressure mats in security 
applications, the mats should be well- 
concealed under carpets or even under 



tile or linoleum floor coverings. If the 
intruder is aware of their existence, he 
or she can just step over or bridge over 
the mat. Pressure mats alone should be 
used only to detect low-skill intruders. 
However, pressure mats can be used along 
with other sensors in a system designed to 
provide a higher level of protection. Table 
7.1 provides a summary of classifications 
for interior sensors. 



Wireless Sensors 

The most common wireless sensors are 
the RF transmission type. In the United 
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States these systems typically operate in 
the 300MHz or 900 MHz bands. Some 
systems utilize spread-spectrum tech- 
niques for transmission. A typical RF 
wireless sensor system consists of sensor/ 
transmitter units and a receiver. The 
sensor/transmitter unit has both the 
sensor and transmitter electronics inte- 
grated into one package and are battery 
powered. Advertised battery life is 2 to 5 
years, depending on the number of alarms 
and transmissions. Each sensor/transmit- 
ter unit is programmed with a unique 
identification code. The number of indi- 
vidual sensors that can transmit to one 
receiver and the transmission range varies 
with the system. In most systems the 
receiver can output alarm messages in the 
form of RS-232, logic levels, or relay 
contact operation. In order to conserve 
battery power, the transmitters are in a 
sleep mode until an event requires a 
transmission. Events consist of alarms, 
tampers, and state-of-health messages. 
Alarms and tampers are transmitted when 
they occur. State-of-health messages verify 
that the sensor is still present and operat- 
ing. They typically consist of battery 
status, alarm status, and tamper status 
and are transmitted to the receiver at 
user-specified intervals. The receiver 
is programmed to expect state-of-health 
messages at the specified intervals. If 
they are not received, the receiver will 
indicate a fault condition. 

Most wireless systems use PIR, micro- 
wave, dual-technology, and magnetic 
switches as sensor types. They also typi- 
cally have what is known as a universal 
transmitter. The universal transmitter 
allows interfacing to other sensors or con- 
trols by monitoring the alarm contacts of 
the separate sensor. 

Some of the concerns when using a RF 
sensor system include collisions, signal 
fade, and interference. Collisions occur 
when multiple signals, such as state- 
of-health, are received simultaneously, 
resulting with neither message being read 
by the receiver. Fading can occur when 



the path between the transmitter and 
receiver is too far or is blocked by too 
much material that shields the RF signal, 
such as large metal objects, metallic 
building siding, and so forth. Interfer- 
ence occurs when other RF sources trans- 
mitting in the same frequency range 
overpowers the signal sent by the sen- 
sor/transmitter unit. Techniques such as 
spread-spectrum transmission and dither- 
ing the state-of-health timing can help 
reduce these problems. Testing to verify 
good transmission path and possible 
interference sources prior to final location 
and installation of transmitters and 
receivers is recommended and can 
also help reduce problems. 



Miscellaneous Technologies 

Any quantity or parameter in a volume or 
area that changes when an intrusion takes 
place can be used to detect the intrusion. 
The most common ones have already been 
discussed. Other technologies that have 
been exploited include light and electric 
field. 

Light sensors monitor the average light 
level within their field of view. If the light 
level changes by a predetermined amount, 
the possibility of an intrusion exists. The 
light sensor is designed to produce an 
alarm when such a change occurs. Elec- 
tric field sensors are similar to capaci- 
tance proximity sensors except they may 
cover larger areas. They consist of sets of 
wires, along a wall for example, which 
generate an alarm when a person ap- 
proaches or touches the wires. 

One additional sensor technology uses 
active infrared energy in a continuous 
plane (like a curtain) to create an invis- 
ible detection pattern. The sensor uses a 
mechanical rotating mirror and reflective 
tape for protection. Laboratory testing 
revealed that flies and moths resting on 
the protective tape caused nuisance 
alarms, but a fly passing quickly through 
the plane won't cause alarms. Additional 
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sensors under development are based 
on human presence detection and look 
for human heartbeats, carbon dioxide 
changes, or other human characteristics. 

Effects of Environmental 
Conditions 

A large number of environmental condi- 
tions can produce noise in the same 
energy spectra that the intrusion sensors 
are designed to detect. These outside 
noise sources can degrade sensor perfor- 
mance and may cause the sensor to gen- 
erate an alarm even when an intruder 
is not present. The following sections 
discuss several factors that can degrade a 
sensor's performance. Environmental con- 
ditions that can affect interior sensors 
include: 

• electromagnetic 

• nuclear radiation 

• acoustic 

• thermal 

• optical 

• seismic 

• meteorological 



or concrete, neither of which provides 
electromagnetic shielding, then a high 
background of electromagnetic energy 
generated by sources outside the building 
or room is possible. 

The best way to minimize the effects of 
stray electromagnetic energy is to provide 
electromagnetic shielding to all system 
components (including all data transmis- 
sion links) and to ensure that all the 
components have a common, adequate 
electrical ground. 

Nuclear Radiation Environment 

Nuclear radiation can damage various 
components within the sensor. The most 
susceptible elements are semiconductors. 
Research has shown that current systems 
cannot be made totally invulnerable to the 
effects caused by some radiation environ- 
ments. The appropriate design and choice 
of components and shielding where pos- 
sible can reduce system vulnerability. Gen- 
erally speaking, neutrons will degrade the 
performance of semiconductor devices 
and integrated circuits. The degradation 
primarily depends on the total dose. 



Electromagnetic Environment 

Sources of electromagnetic energy that 
could affect the performance of a particu- 
lar type of interior detection system 
include lightning, power lines and power 
distribution equipment, transmission of 
radio frequencies, telephone lines and 
equipment, lighting, computer and data 
processing equipment. Other sources are 
various electric powered vehicles, such 
as forklifts and elevators, television 
equipment, automotive ignition, electrical 
machinery or equipment, intercom and 
paging equipment, and aircraft. 

Construction of the building or room to 
be monitored will play an important role 
in determining the nature of the electro- 
magnetic energy that is present. If the 
structure is made primarily of wood 



Acoustic Environment 

Acoustic energy is generated by many 
sources within an internal area. Also, 
energy generated by outside sources can be 
transmitted into an area to be protected. 
Some of the forms of acoustic energy that 
can affect the performance of interior 
sensors are noise from meteorological 
phenomena; ventilating, air-conditioning, 
and heat equipment; air compressors; 
television equipment; telephone elec- 
tronic equipment; and exterior sources 
such as aircraft, vehicles, and trains. 



Thermal Environment 

Changes in the thermal environment can 
result in stimuli that affect the perfor- 
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mance of interior intrusion sensors. These 
stimuli include uneven temperature dis- 
tribution that causes air movement within 
the area and expansion and contraction 
of buildings. Causes of changes in the 
thermal environment include weather, 
heating and air-conditioning equipment, 
machinery that produces heat, interior 
lighting, chemical and radioactive reac- 
tions producing thermal outputs, and 
fluctuations of sunlight through windows 
and skylights. 

Optical Effects 

The sources of optical phenomena that 
affect interior intrusion sensors include 
light energy from sunlight, interior 
lighting, highly reflective surfaces, and 
infrared and ultraviolet energy from 
other equipment. 

Seismic Effects 

Seismic phenomena affect interior intru- 
sion devices by producing undesirable 
vibrations in interior areas. Seismic phe- 
nomena include earth tremors, machine 
equipment, vehicular traffic, trains, thun- 
der, and high winds. 

Meteorological Effects 

Meteorological phenomena, such as light- 
ning, thunder, rain, hail, temperature, 
wind, earth tremors, high relative humid- 
ity, and sunlight, that adversely affect 
interior intrusion sensors have already 
been discussed within the individual 
sensor sections. 



Sensor Selection 

Sensor selection consists of identifica- 
tion of the equipment and installation 
methods that best meet the intrusion 
detection system objectives for a given 



facility. Consideration of the interaction 
among equipment, environment, and 
potential intruders is integral to the selec- 
tion of the proper technological type 
of equipment necessary to ensure the 
desired intrusion detection functions. 
Two important physical conditions that 
affect sensor performance are the building 
or room construction and the various 
equipment or objects that occupy the 
same area or room to be monitored. 

The relative susceptibility to nuisance 
alarms of several types of interior sensors 
suitable for fixed site applications is 
shown in Table 7.2. It is usually possible 
to identify appropriate sensors that will 
perform acceptably in the environment in 
question since the environment associ- 
ated with interior areas is normally con- 
trolled and is usually predictable and 
measurable. However, correct sensor 
choice requires that the particular nui- 
sance alarm stimuli to which it is suscep- 
tible be known, as well as whether these 
stimuli are contained in the environment 
in question. This is particularly true of the 
motion detectors (ultrasonic, microwave, 
infrared, and sonic), all of which can be 
installed to provide acceptable detection 
coverage and which typically have nui- 
sance alarms from different stimuli. 
Figure 7.12 shows a possible arrangement 
of interior sensors for an interior area 
similar to the one used in this chapter. 
Optimum performance of an interior 
intrusion detection system can be 
achieved by an appropriate combination 
of sensors and sensor technologies. 
Adams (1996) has published a useful 
summary of operational issues. 

Procedures 

Procedures such as two-person rules, 
sensor effectiveness testing, and good 
maintenance practices and documenta- 
tion ensure an effective interior-intrusion 
detection system. When procuring sen- 
sors, select those that come closest to 
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Table 7.2 Relative Susceptibility of Interior Sensors to Nuisance Alarms. 
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Sensors Wind Temp RH Animals Lightning Power RF Seismic 
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Figure 7.12 Sample Layout of Multiple 
Interior Sensors. A variety of boundary, 
volumetric, and proximity sensors are 
combined to provide protection-in-depth 



meeting performance goals and protection 
requirements while demonstrating com- 
patibility for integration with future 
generation systems. 

The two-person rule is a procedure 
requiring two knowledgeable people to be 
involved in a situation or activity in order 
to prevent compromising facility security 
by a single insider. The two-person rule is 
applicable to functions such as granting 
access within the site and handling of 
critical assets, information, or equipment. 
Each person involved in a two-person 
rule task must be technically qualified to 
detect tampering by the other. The two- 
person rule is effective as long as the 
individuals involved do not relax the 
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requirement because of long-term friend- 
ship or association. 

For testing purposes, it can be very 
useful if a sensor has an audible or visible 
alarm indicator that can be recognized 
from 10 to 35 feet away. This indicator 
should be deactivated during operational 
use. Conduct walk tests every day to start, 
then periodically, based on successful 
results of the daily tests. All sensors 
should be performance tested after main- 
tenance activities. A sensitivity analysis 
or effectiveness test can confirm the per- 
formance of a sensor, verify sensor cover- 
age, and check for blind areas created by 
changes in room layout. Self-test mecha- 
nisms, whether part of a sensor or a 
separate device, will allow frequent 
operational testing of the sensor and 
alarm communication system. Self-testing 
should be activated on a random basis 
(Graham and Workhoven, 1987). 

Installation and maintenance of sensors 
should be at least to manufacturer speci- 
fications, although testing may show 
ways to optimize performance beyond 
manufacturers recommendations. Peri- 
odic inspections of sensors and compo- 
nents will ensure that they conform to the 
required configuration and specifications. 
Possible alterations and modifications to 
components should be looked for during 
inspections Acceptance tests, operational 
tests, and logs of maintenance calls on 
each piece of equipment will help deter- 
mine how many and what kind of spares 
to keep on hand. Thorough inspections of 
spare parts should be performed prior 
to installation. Spare parts should be 
secured during storage in order to deter 
tampering. 

Inspection of sensors after maintenance 
should also be performed. All sensors 
monitored by a data-collection control 
panel should be walk-tested after that 
control panel has undergone mainte- 
nance. Requiring approval of plant modi- 
fication plans by security personnel 
prevents any changes that would degrade 
system performance. This should include 



changing the location of detectors, adding 
objects that may cause nuisance alarms, 
and relocating large objects in the pro- 
tected area. Readjustment of detector 
sensitivity may be necessary following 
remodeling. 

Documentation should be readily avail- 
able showing theory of operation of equip- 
ment, functional block diagrams, cabling 
diagrams, schematics, and parts lists 
showing manufacturers and commercial 
equivalent part numbers. Maintenance 
logs can be used to monitor reliability 
of equipment and problem components 



or areas. 



System Integration 



System integration is the process of com- 
bining individual technology elements, 
procedures, and personnel into one 
system for providing security at a facility. 
This requires a balance among hardware, 
personnel, and operational procedures. 
As with exterior sensors, interior intru- 
sion sensors must be integrated with the 
display and control subsystem, the entry- 
control subsystem, and delay mecha- 
nisms. This integration should include 
consideration of protection-in-depth, 
balance along all paths into the facility, 
and the use of backup systems and con- 
tingency plans. 

Line supervision is the means for moni- 
toring the communication link between a 
sensor and the alarm control center. Use 
of supervised lines between the sensor 
and host alarm system as well as continu- 
ously monitored sensor tamper switches 
will also help protect against the insider. 
The interior intrusion subsystem designer 
should be familiar with the range of line 
supervision techniques that are available 
for the communication lines that connect 
a sensor alarm relay to the alarm- 
reporting system. Line-supervision tech- 
niques, such as reverse polarity, sound 
monitoring, radio class C, steady direct 
current class B, tone, and digital classes A 
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and AB, cover the full range of security 
levels. Line supervision techniques will 
be explained further in Chapter 9, "Alarm 
Communication and Display." If a series 
of interior sensors is connected to a single 
alarm processor, line supervision is re- 
quired between the processor and each 
detection sensor. 



Summary 

This chapter discusses interior-intrusion 
detection sensors in terms of application, 
probability of detection, nuisance alarm 
rate, and vulnerability to defeat. The inte- 
gration of individual sensors into an inte- 
rior sensor system must consider the skill 
level of the intruder, the design goals, and 
the effects of environmental conditions, 
as well as the interaction of the interior 
system within a balanced and integrated 
PPS. 
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Security Principles 



The performance measures for interior 
sensors are P D , NAR, and vulnerability to 
defeat. 

Physical operation of a sensor should 
determine sensor placement to achieve 
optimum performance. 

Sensor detection areas should overlap. 

Consideration of the interaction among 
equipment, environment, and potential 
intruders is integral to the selection of the 
proper technological type of equipment 
necessary to ensure the desired intrusion 
detection system functions. 
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1. Discuss the following general appli- 
cation considerations for interior 
intrusion sensors: 

a. Use of more than one sensor or 
sensor type is recommended. 

b. Sensor installation should be 
considered during the selection 
process. 

c. Salesmen must demonstrate or 
provide independent verification 
of their claims. 

d. Sensors should be placed on 
stable mountings. 

e. Line supervision should be 
considered. 

f. Sensor field of view should be 
kept clear of clutter. 

g. Motion sensors should not be 
used in an area that has moving 
life forms other than people, 
such as small animals, birds, or 
insects. 
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h. The line-supervision circuits 

should be continually 

monitored even when an area or 

sensor is in the access mode, 
i. Rather than place wiring in the 

open, use conduit, 
j. Tamper switches should be 

installed in junction boxes, 
k. The sensor should be placed 

before the delay mechanism in 

the adversary's path. 
1. Motion sensors should not be 

installed next to or over 

openings, such as doorways or 

windows, 
m. To provide protection, sensor 

detection areas should overlap, 
n. Outside influences, such as 

trains, trucks, and other 

elements, should be taken into 

account, 
o. Power line transients can cause 

nuisance alarms. 
p. The installer may be 

inexperienced, 
q. Radio frequency sources, such 

as portable radio transmitters, 

may have adverse affects on the 

sensor system. 

2. Discuss the following application 
considerations for ultrasonic motion 
sensors: 

a. Ultrasonic motion sensors in the 
same area should be from the 
same manufacturer. 

b. Ultrasonic motion sensors 
should be installed away from 
sources of ultrasonic noise, such 
as air leaks, air filters, dripping 
water, clanging metal (telephone 
bells), and so on. 

c. A monostatic ultrasonic motion 
sensor should be aimed so that 
the most likely intruder path 

is towards or away from the 
sensor. 

d. Ultrasonic motion sensors 
should be installed so that they 
cannot see moving objects, such 



as moving machinery and 
banners. 

3. Discuss the following application 
considerations for passive infrared 
(PIR) motion sensors: 

a. A PIR motion sensor should be 
aimed so that rapidly changing 
heat sources, such as space 
heaters, are out of its field of 
view. 

b. A PIR motion sensor should not 
be aimed so that hot, turbulent 
air flows through or into the 
sensor's field of view. 

c. A PIR motion sensor should be 
aimed away from the floor if 
mice or other small animals are 
present. 

d. A PIR motion sensor should be 
placed so that sunlight will not 
fall directly on the face. 

e. A PIR motion sensor should be 
installed so that the least likely 
direction an intruder will move 
is directly at or away from the 
sensor. 

4. Discuss the following applica- 
tion considerations for microwave 
motion sensors: 

a. Microwave energy can penetrate 
many common wall types. 

b. Multiple microwave motion 
sensors installed in the same 
area should be operated on 
different frequencies. 

c. Radar speed detectors operate in 
the same frequency band as 
microwave motion sensors. 

d. Microwave motion sensors 
should not be placed so that 
they can "see" microwave 
ovens. 

e. Large metal objects can reflect 
the area of coverage. 

f. Microwave motion sensors 
should be aimed away from 
metal air ducts that can direct 
the energy into other areas. 
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g. Microwave motion sensors 

should be placed so that they are 
unable to see metallic (or 
conductive) moving objects, 
such as fan blades and moving 
machinery. 

h. People should not look directly 
into an operating microwave 
motion-sensor antenna at very 
close ranges (<30cm). 

i. Fluorescent lighting tubes 

should be outside the microwave 
sensor field of view, particularly 
at distances less than three 
meters. 

j. A microwave motion sensor 
should be installed so that the 
most likely intruder path is not 
across its field of view. 

5. Discuss the following application 
considerations for other sensors: 

a. A capacitance proximity sensor 
should not be used if there are 
mice or other small animals 
present in the area. 

b. Passive sonic or passive 
ultrasonic sensors should be 
avoided in an extremely noisy 
environment. 

c. Balanced magnetic switches 
mounted on ferrous (steel) doors 
or frames must use '/ 2 -inch 
nonferrous spacers. 

d. Balanced magnetic switches 
should not be mounted on the 
outside of the protected surface. 

6. Discuss the following application 
considerations for interior sensor 
maintenance: 



a. A sensor system should not be 
installed and forgotten. 

b. Walk tests should be conducted 
periodically to verify sensor 
operations. 

c. Only authorized personnel 
should adjust sensitivities 

d. A modification in the system 
should be accepted only after 
testing has verified proper 
operation. 

e. The nuisance alarm rate should 
not be reduced by lowering 
sensor sensitivity, because 
lowering sensitivity also reduces 
system coverage. 

f. Building maintenance should be 
performed even if it may cause 
nuisance alarms. 

7. What are some of the differences 
in the detection capabilities of 
infrared, microwave, and ultrasonic 
sensors? 

8. What kind of environmental condi- 
tions can affect interior sensor 
systems? 

9. Twenty-eight tests have been per- 
formed to estimate P D for a new PIR 
sensor, but half of the tests were per- 
formed using each of two different 
tactics. One tactic is a walk across 
the detection pattern of the sensor at 
1 foot per second (a normal walk is 
approximately 2-3 feet per second). 
This tactic shows 13 detections in 14 
tests. The other tactic is a crawl at 
0.5 feet per second and shows 10 
detections out of 14 tests. What is 
the P D for this sensor? Should we use 
two P D s or just one? 
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Assessment is essential to identify the 
cause of an alarm and to effectively end 
the detection function. Alarm assessment 
can be provided through closed-circuit 
television (CCTV) coverage of each sensor 
sector or by visual checks by personnel. 
With a CCTV alarm assessment system, 
authorized personnel can rapidly assess 
sensor alarms at remote locations and 
avoid unnecessarily sending guards or 
other response forces to an area. The 
premise of this chapter is that alarm 
assessment will be accomplished through 
the use of CCTV cameras. We call 
this video alarm assessment or just 
assessment. 

There are two purposes of assessment. 
The first is to determine the cause of each 
sensor alarm. This includes determining 
whether the alarm is due to an adversary 
or a nuisance alarm. The second purpose 
of assessment is to provide additional 
information about an intrusion that can be 
relayed to the response force. This infor- 
mation includes specific details such as 
who, what, where, and how many. 

A key principle in the design and eval- 
uation of a PPS is that detection is not 
complete without assessment. This prin- 



ciple is based on the premise that the 
primary goal of a security system is to 
protect assets from loss or damage. As 
explained in some detail in Chapter 5, 
"Physical Protection System Design," to 
meet this objective effectively a facility 
must detect that an attack has started, and 
delay the adversary long enough to allow 
an appropriate response to the attack. 
There is an important distinction between 
detection and assessment. Detection is 
the notification that a possible security 
event is occurring; assessment is the act 
of determining whether the event is an 
attack or a nuisance alarm. As described 
previously, exterior or interior sensors 
best accomplish detection. Humans are 
better at assessing an event. Longstanding 
studies have shown that humans are 
not good detectors, particularly over long 
time periods. In one study using sixteen 
television monitors, it was shown that 
after 60 minutes human effectiveness at 
detecting suspicious events dropped sig- 
nificantly, even though operators were 
told to expect the events (Tickner and 
Poulton, 1973). Other studies have 
shown similar results after 30 minutes 
{Ware, Baker, and Sheldon, 1964, and 
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Mackworth, 1961). Tickner and Poulton 
also demonstrated that human operators 
could successfully observe up to nine 
large monitors, but reduction of monitor 
size, distance of incident from the camera, 
duration of the incident, and disruptions 
such as telephone calls also reduced 
operator effectiveness (Tickner et al., 
1972; Tickner and Poulton, 1973). 

These results emphasize the impor- 
tance of separating the act of detection 
from the act of assessment. Cameras are 
not detectors; they are imaging devices. 
When matched with humans or sen- 
sors, cameras can provide an immediate 
method to assess a scene of interest. The 
camera operates the same whether or not 
an intruder is in the scene; detection is 
accomplished through the use of a sensor 
or human monitoring. To be successful at 
protecting assets, it is not sufficient to 
provide remote CCTV monitoring of an 
area and expect that human operators 
will detect undesired or suspicious events. 
Based on the scientific evidence demon- 
strating that this approach starts to 
degrade after 30 minutes and is not reli- 
able after one hour, effective protection 
systems must incorporate some sensor 
technology to assist in the detection func- 
tion and reduce the load placed on the 
human operator. Sensors are able to detect 
events and do not suffer from fatigue 
or boredom, while humans are good at 
viewing an image and deciding on the 
appropriate response. In low-security 
applications, the use of humans for detec- 
tion may be accepted, but the probability 
of their detecting an event is very low. In 
these systems, frequent rotation of human 
operators can be implemented in order to 
counter this effect. 

Assessment versus Surveillance 

In this text, the term assessment is differ- 
ent than surveillance. Assessment refers 
to immediate image capture of a sensor 
detection zone at the time of an intrusion 



alarm. The detection zone is then also 
termed an assessment zone. The image 
can then be reviewed to determine the 
cause of the alarm and initiate proper 
response to the alarm. The response to the 
alarm may be to dispatch a guard in the 
case of an adversary attack, to initiate an 
investigation, or to log the alarm as a nui- 
sance or false alarm. The most effective 
systems will use CCTV to capture the 
cause of the alarm and enable immediate 
assessment. Surveillance, on the other 
hand, uses CCTV to continually monitor 
activity in an area, without benefit of an 
intrusion sensor to direct attention to a 
specific event or area. Many surveillance 
systems also do not use human operators, 
but record activity periodically on video- 
tape for later review. 

The use of assessment or surveillance 
relates to the value of the asset and the 
timeliness of the response that is required. 
If the asset to be protected has a conse- 
quence of loss that can be tolerated, use of 
surveillance systems may be appropriate. 
However, if the consequence of loss of 
the asset is unacceptably high, assess- 
ment systems represent the better alterna- 
tive. It is important to emphasize that the 
assumption throughout this text is that 
high-consequence losses cannot be al- 
lowed, and those assets require the use of 
an immediate and effective on-site re- 
sponse. High-consequence losses include 
the loss of life, damage to critical infra- 
structures such as telecommunications 
systems or utilities, and loss of control of 
hazardous assets. Assets that have lower 
consequences if lost or damaged may use 
surveillance systems with human review 
after occurrence of the event to initiate the 
proper response. 

As an example, if a clerk in a conve- 
nience store is killed during the commis- 
sion of a robbery, the CCTV surveillance 
system in place to monitor the store using 
videotape recording may collect informa- 
tion as to the identity of the perpetrator 
but did nothing to prevent the death of 
the employee. In this case, a high conse- 
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quence (death) was realized and the 
system did not protect the employee. 
Although the surveillance tape may sup- 
ply evidence to help identify, capture, and 
prosecute the felon, the system failed to 
prevent the death of the employee, result- 
ing in a high-consequence loss. 

Regardless of whether the video system 
is to be used for assessment or surveil- 
lance, the technical guidance in this 
chapter will still apply. 



Video Alarm Assessment System 

The basic components of a video alarm 
assessment system are shown in Figure 
8.1. The assessment system is composed 
of cameras at the remote sensor areas, 
display monitors at the local end, and 
various transmission, switching, and 
recording systems. Major components 
include: 

• camera and lens 

• lighting system 

• transmission system 

• video switching equipment 

• video recorder 

• video monitor 

• video controller 

Kreugle (1995) and Damjanovski (2000) 
have written outstanding books dis- 
cussing video systems and their compo- 
nent pieces in considerable depth. 



Camera and Lens 

The basic function of the camera and lens 
system is to convert an optical image 
of the physical scene into an electrical 
(video) signal, suitable for transmission to 
a remote display area. The camera and 
lens system is sized and located to assess 
a defined area. 

Selection of a camera and lens for a 
video assessment system must start with 
the determination of the degree of resolu- 
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Figure 8.1 Block Diagram of Video 
Assessment System Components. The 
video assessment system uses CCTV 
cameras to capture images of intrusion in 
detection zones, then transmits it to a 
recording or immediate review location 



tion to be required. The camera selection 
should also take into consideration the 
following desirable characteristics: 

• High sensitivity to best utilize avail- 
able light 

• Ability to maintain an adequate 
picture in the presence of bright 
sources 

• Ability to retain picture clarity at all 
points in the scene when motion is 
present 

• Long life 

Before describing these characteristics, 
some background information is required. 
Readers who do not require an in-depth 
understanding of the technical basis for 
performance measures used in CCTV 
systems can skip to the "Resolution 
Limited Field of View" section below for 
a discussion on the application of these 
concepts. 

Basic Television Operation 

A television (TV) image is developed in a 
scanning fashion. The image is "painted" 
by a spot of light moving from left to right 
repeatedly, all the while drifting down 
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much like the eye scanning a page while 
reading. Each pass of the spot of light from 
left to right is referred to as a scan line. 
When the surface area is completely sur- 
veyed, the light spot returns (retraces) to 
the top, repeating the process. Some lines 
of scan are not visible but are blanked out 
while the spot retraces to the top (vertical 
blanking). The beam also is blanked as the 
spot rapidly retraces from right to left, 
from the end of one scanning line to the 
start of another (horizontal blanking). 

Vertical deflection of the beam is con- 
tinuous, causing lines to slope slightly 
downward as the scan is made from left 
to right. As developed electronically, the 
lines are distinctly visible. They do not 
merge but actually leave dark gaps be- 
tween adjacent lines. The scan line itself 
is not a track of uniform brightness, but 
is brighter at the center than at the edges. 
Therefore, there is a visible background 
pattern, a striped effect, in all television 
images. When this technique was first 
developed it was presumed that the 
viewer would be far enough away from 
the display so that the striped effect 
was not visible. This is not the case in 
modern applications, so the consideration 
becomes more complex. 

The technique of interlace was devised 
to overcome this objectionable effect in 
televised displays. Interlace arranges the 
scan sequence to survey a field with one- 
half the scan lines initially (Field 1), then 
retraces (Field 2), placing the scan lines of 
the second field between the lines devel- 
oped in the first field. Thus the bright- 
ness refresh rate is in effect doubled, 
sufficiently rapid to be above the critical 
flicker frequency of human vision. The 
image appears whole due to the slow 
decay of brightness from the phosphor. 
Each field contains half the available 
information. One frame contains two 
fields (odd and even, based on line 
number) and there are 30 frames per 
second. The development of two fields to 
make up a whole image (frame) is referred 
to as 2 : 1 interlace. 



In this chapter, discussions of alarm 
assessment equipment assume television- 
scanning rates in terms of the U.S. stan- 
dard. Because commercial U.S. power is 
furnished at a 60-Hz rate, 60 Hz is the 
field rate with 525 scan lines per frame 
(267.5 TV lines per field) for video 
systems in the United States. These spec- 
ifications, with the addition of color infor- 
mation, comprise the National Television 
System Committee (NTSC) standard. In 
the International Radio Consultative 
Committee (CCIR) West European system, 
a 50-Hz power and a 625-line frame scan 
are used. Many manufacturers supply 
both NTSC (60 Hz, 525 line) and CCIR 
(50 Hz, 625 line) systems as options. The 
PAL (Phase Alternate Line) standard was 
developed by Walter Bruch of Tele- 
funken. This system has a higher resolu- 
tion than the American NTSC with 625 
lines, but it runs at 25 frames per second. 
The French television standard, Sequen- 
tial Couleur A'Memorie (SECAM), uses 
the same resolution and frame rate as 
PAL but is not compatible. This system 
is widely used in Russia and Eastern 
Europe. In the future, High-Definition 
Television (HDTV) will be the new stan- 
dard. Details and implementation of this 
standard are still evolving. 

The 525 horizontal scan line system 
used in the United States has 483 active 
scan lines containing video information 
and two vertical blanking intervals com- 
posed of 21 retrace lines each. Only about 
340 TV lines can be individually resolved 
because of the deflection system nonlin- 
earities in the camera and the monitor. 
The 340 TV lines can also be thought of 
as 340 independent picture elements of 
equal height stacked one above the other 
in a vertical column. Each of these picture 
elements, or pixels, is of a specific, 
measurable vertical dimension represent- 
ing V 340 th of the resolution chart height. 
The pixel is defined as the smallest inde- 
pendently resolvable element in an image. 
Although color television is the predomi- 
nant form today, it is simpler to describe 
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Figure 8.2 Sample IEEE Resolution Chart Used to Determine TV Camera Resolution in 
TV Lines. The patterns in the center of the chart are used to determine nominal camera 
resolution, while the patterns in the corners are useful to test monitor resolution across 
the entire display 



TV technology using a black-and-white 
signal, since the basic measures will 
still apply. 



Resolution 

Resolution is the ability to see fine details 
in an image. It is a measure of spatial fre- 
quency or the number of pairs of alternate 
black and white evenly sized lines that 
can be seen in a given linear distance, 
typically expressed in line pairs per mil- 
limeter. The line pairs designation is used 
primarily in the field of optics, but the 
term appears occasionally in television 
literature. There is no universally used 
terminology either in standards or in 
common practice to define resolution. 
Since the display is in a single plane, we 
are concerned with the ability to produce 
detail vertically (up and down) and hori- 
zontally (left and right). Separate consid- 
erations apply to each dimension. 

The resolution of a TV camera is com- 
monly measured on an Institute of Elec- 
trical and Electronic Engineers (IEEE) 



resolution chart where groups of equally 
spaced black and white lines arranged in 
a wedge-shaped pattern form the basis for 
resolution measurement. A typical IEEE 
resolution chart is shown in Figure 8.2. A 
camera is positioned so that it views the 
full chart with no background visible. The 
resolution chart is marked at various 
intervals along the wedge patterns with 
the resolution values in TV lines, typi- 
cally between 200 and 1,600 lines. 

Since sequential scanning lines pro- 
duce the TV image, the resolution in TV 
lines is often confused with the number 
of scanning lines that produce the image. 
Although the vertical resolution in TV 
lines is dependent upon the number 
of scanning lines in the raster, they 
have different meanings. Due to the diffi- 
culty in interpreting wedge patterns on 
IEEE charts, they are generally not used 
for evaluation of vertical resolution. In 
practice, vertical resolution is considered 
to be equal to the number of unblanked 
scan lines. Horizontal resolution can 
be measured using the IEEE resolution 
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Figure 8.3 Aspect Ratio and the Rela- 
tionship to Resolution. Vertical resolution 
is generally assumed to be TV scan lines, 
of which only 380 are actually available. 
Horizontal resolution can be expressed in 
terms of horizontal lines or TV lines. By 
definition, horizontal resolution is the 
number of TV lines per picture height, 
which is 3 units 



chart with the vertical black and white 
wedge patterns. The point where the 
converging vertical lines are just barely 
visible before fusing into a gray blur is 
defined as the limiting horizontal resolu- 
tion in TV lines. 

At the same time the NTSC techni- 
cal specification was developed, the TV 
industry also adopted a viewing format 
with a width-to-height ratio of 4 : 3 (aspect 
ratio) and specified horizontal resolution 
in TV lines per picture height. Due to the 
aspect ratio, the horizontal field of view is 
greater than the vertical field of view by 
33%. If the vertical and horizontal reso- 
lution were 300 TV lines each, there 
would be 400 pixels in the horizontal 
direction, but by definition the horizontal 
resolution would still be 300 TV lines. 
The horizontal resolution read from 
the chart is not defined by the width 
of the picture but by a distance equal to 
the picture height or three-fourths of the 
picture width. Figure 8.3 depicts this 
relationship. 



In summary, resolution is not a simple 
consideration. In addition to the speci- 
fications discussed above, contrast, band- 
width roll-off, use of color versus black- 
and-white cameras, and method of mea- 
surement can also influence resolution. 
Specific testing for the proposed applica- 
tion should be performed to verify that the 
camera selected will provide the neces- 
sary resolution. 

Resolution Limited Field of Mew 

Now that a basic description of resolution 
has been presented, it is important to 
explain how this information is used 
when designing a video assessment 
system. These same considerations will 
also be useful when integrating surveil- 
lance system components. For assessment 
purposes, three levels of resolution may 
be considered: 

• detection — the ability to detect the 
presence of an object in the area of 
interest 

• classification — increased resolution 
provides sufficient information to 
determine what is present by class 
(animal, blowing debris, person) 

• identification — improved resolution 
sufficient to uniquely identify an 
object on the basis of details of ap- 
pearance (Tom, not James) 

These three levels of resolution are 
dependent on camera resolution as well 
as size and proximity of the object in 
question. For example, in a given situa- 
tion it might be possible to identify a par- 
ticular person, classify an object as a large 
dog, or detect an object the size of a small 
animal. Consideration of the object or 
target of the assessment is critical in deter- 
mining camera placement and number. 

In an exterior perimeter, a security 
system operator may need to classify a 
person crawling slowly through a clear 
zone at night. The crawler could be close 
to the camera or further away. This dis- 
tance, combined with camera resolution, 
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lighting, and other system performance 
characteristics, will determine how easily 
and quickly the operator can make the 
assessment. For exterior perimeter ap- 
plications, resolution in the classifica- 
tion category is probably sufficient for the 
operator to differentiate between an 
adversary attack (a crawling person) or a 
nuisance alarm (a rabbit). At the other 
extreme, for some interior applications it 
may be desirable to identify the target. In 
retail applications, it may be necessary to 
identify a person suspected of shoplifting 
and the compact disc being held. In 
many casinos, CCTV systems are used to 
monitor players at tables or machines to 
discover any attempts to cheat. This may 
require the capability to identify the cards 
in a player's hand or the value of the cur- 
rency being exchanged for chips. The 
level of resolution required in the exterior 
perimeter will use fewer, more widely 
spaced cameras than the other two cases, 
since there are different objectives for the 
video images. 

This is why it is so important to con- 
sider the goal of CCTV prior to designing 
the video subsystem. Is the facility under 
attack by a stealthy adversary or trying to 
collect legal evidence for use in prosecu- 
tion? It should be clear that understand- 
ing the threat and its tactics will play a 
large role in the proper selection and 
placement of cameras at a facility. Under- 
standing the target to be assessed will also 
allow cost-effective decisions to be made 
using the level of resolution. If the need is 
for resolution to classify a stealthy adver- 
sary, a camera that meets a lower standard 
is sufficient. If, on the other hand, identi- 
fication of a specific person is the goal, a 
higher-resolution camera is appropriate. 
Lower-resolution cameras are generally 
less expensive than higher-resolution 
cameras, so this is one method of control- 
ling system costs. 

Extensive testing at Sandia National 
Laboratories has shown that a minimum 
of 6 TV lines of horizontal resolution is 
required to accurately classify a 1-foot 



target. This figure does not change with 
camera resolution but it does have a 
significant effect on camera placement 
and number. To be certain that a specific 
camera will meet the desired objective, 
cameras under consideration should be 
tested for their resolution and perfor- 
mance in the specific application prior to 
purchase. Reliance on manufacturer spec- 
ifications is discouraged, because the test 
conditions used may not directly relate to 
the specific application. Application of 
this performance measure is discussed 
in more detail in the "Distance and 
Width Approximation" section later in 
the chapter. 

Types of Cameras 

There are a variety of camera types avail- 
able including tube, solid-state, intensi- 
fied, and thermal. Each type is based on 
a different technology, and together they 
provide a wide spectrum of solutions 
to specific applications, particularly when 
low light levels are expected. Tube 
cameras were the predominant type until 
recently; they will eventually all be 
replaced by solid-state cameras. Tube 
cameras use solid-state electronics except 
for the image-sensor tube. The image tube 
wears out in one to two years. These 
cameras are also susceptible to image 
burn-in — the retention of an image on the 
target surface as a result of viewing the 
same scene for a long time or due to 
viewing of a bright light source. 

Solid-state cameras use a different 
sensor and scanning system than tube 
cameras. Their silicon sensor has a pixel 
array in place of the image tube, and 
the pixels convert light energy into an 
electrical charge. The moving electrical 
charge across the sensor creates an elec- 
trical signal that is converted to a video 
image. Additional discussion of solid- 
state camera sensors is provided below. 

In some situations, the lighting may 
not be adequate for the use of solid-state 
cameras. Some examples include dimly 
lit parking lots, covert surveillance activ- 
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ities, exterior outlying areas at large facil- 
ities, or streets. In these cases intensified 
cameras may be useful. These low-light- 
level cameras intensify the image by 
amplifying the reflected scene illumina- 
tion and then passing this image to the 
CCTV sensor, where it is processed 
normally and sent to the monitor. They 
respond to residual visible light and 
near-IR lighting from sources such as stars, 
moonlight, or artificial lighting, but do 
not emit any IR or other radiation (they 
are passive devices). There are a number 
of intensifier mechanisms and several 
generations of intensified cameras. The 
type of focusing mechanism used catego- 
rizes the different generations. While 
useful in low lighting conditions, intensi- 
fied cameras are considerably more expen- 
sive than solid-state cameras, require 
more frequent replacement and mainte- 
nance, and, in older versions, are suscep- 
tible to loss of image if moving sources of 
light are in the scene. 

A thermal-IR camera is a night vision 
device that uses the difference in tem- 
perature of scene objects to produce a 
video image. They are passive devices 
that require no light and produce images 
based completely on the thermal signa- 
ture of objects in the scene. The lower res- 
olution and higher cost of these devices 
have limited their use, but development is 
continuing. 

In addition to the selection of camera 
technology, there is the more straightfor- 
ward choice of color versus black-and- 
white cameras. Many system designers 
select color cameras because they feel 
that a monochrome (i.e., black-and-white) 
image is inferior. However, monochrome 
cameras have higher resolution, better 
signal-to-noise ratio, increased light sen- 
sitivity, and greater contrast than similarly 
priced color cameras. Although color 
imaging may provide some advantages, 
the human eye perceives spatial differ- 
ences more clearly in gradients of black 
and white. In addition, some applications 
use a computer interface, which requires 



more processing time for color images and 
may not give significantly more infor- 
mation about the target. Terry (1992, 1993) 
has published two reviews of color 
cameras comparing performance under 
controlled conditions. 

Additional Considerations 

Camera vulnerabilities can be created 
through positional errors in camera place- 
ment, mismatches in expected and actual 
resolution, overt or covert tampering, 
environmental conditions, and overall 
system-response time. The relationship 
between expected camera resolution and 
actual need was described above. It 
should be clear that if a camera is only 
capable of resolution sufficient for detec- 
tion and the requirement is for identifi- 
cation, the video system would not be 
effective. 

Covert tampering of a video signal can 
be accomplished by tapping into video 
transmission cables and inserting a re- 
corded scene, by placing a picture in front 
of the camera, or by switching video to 
show the wrong zone. Overt tampering 
modes include blinding of a camera with a 
bright light, covering the camera, cutting 
cables, or destroying the camera with a 
weapon. If these methods are of concern, 
the CCTV system should provide for 
tamper protection through the use of 
video loss detection, video authentication, 
and physical protection for cameras and 
cables. Additional methods of video 
tamper-proofing will be discussed Chapter 
9, "Alarm Communication and Display." 

Changing environmental conditions, 
such as the presence of rain, fog, snow, or 
shadows, can also introduce vulnerabili- 
ties into the video subsystem due to the 
loss of usable images. If these conditions 
are expected, contingency plans should 
be prepared in advance to allow for 
assessment during these times. The use 
of existing pan-tilt-zoom (PTZ) cameras 
positioned for secondary surveillance, or 
the placing of a guard to provide visual 
assessment, can be considered. Mounting 
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the camera in an unprotected area could 
lead to undetected camera tampering. To 
detect camera tampering, the video line 
can be electronically supervised. Video 
presence detectors, which can monitor 
the video signal and produce an alarm if 
the video level increases or decreases by 
a preset amount, are commercially avail- 
able. The video presence detector can also 
detect when the video sync signal ampli- 
tude has been reduced. Some inexpen- 
sive video presence detectors detect only 
the presence of the video sync signal. 
This may be helpful in detecting cata- 
strophic camera or video line failure, but 
it is of little use if the camera scene is 
obscured, because the sync pulses would 
still be present even if the camera view 
were blocked. 

Video presence detectors are usually 
placed at a central equipment location, 
such as a security control center. At this 
location, the video presence detector can 
also monitor the transmission path from 
the camera through any signal condition- 
ing equipment and indicate a failure in 
any of this equipment. 



Image Device 

As previously stated, vertical resolution is 
primarily dependent upon the number 
of horizontal scanning lines. In mono- 
lithic, photosensitive-surface image tube 
cameras, the horizontal resolution is pri- 
marily dependent upon the bandwidth of 
the camera. In cameras with solid-state 
imagers, the horizontal resolution is deter- 
mined by the number and spacing of the 
discrete elements in the horizontal dimen- 
sion. The practical method for determin- 
ing resolution is to read the resolution 
from the IEEE resolution chart as in previ- 
ous examples. This will provide a common 
basis for the performance comparison 
among various types of cameras. 

Currently available solid-state cameras 
have horizontal limiting resolutions in 
the 250 to 575 TV-line range. In a solid- 
state imager, there is no deflection system 



required to scan the photosensitive sur- 
face. Therefore, there are no deflection 
errors to contribute to a loss in resolution 
from this source. The vertical resolution 
typically increases to about 400 TV lines 
in solid-state imager cameras. 

Frequently, only one resolution specifi- 
cation is listed in manufacturers' litera- 
ture for image-tube cameras. The listed 
specification should be assumed to be 
the horizontal resolution because the 
number of scanning lines fixes the vertical 
resolution. For most applications today, 
solid-state cameras are the preferred 
imaging device. Tube cameras are only 
used for special applications requiring 
high resolution or as replacements in 
older systems. Although new tube cam- 
eras have slightly greater resolution and 
sensitivity, this performance degrades 
with tube age, and a permanent image of a 
fixed bright scene can burn into the tube. 
Solid-state camera performance degrades 
little with age; image burn-in is not a 
problem; and they need relatively little 
maintenance. Solid-state and tube camera 
costs are about equal. 

Solid-state cameras use a silicon array 
of photosensor pixels to convert the input 
light image into an electrical signal. Most 
solid-state sensors are charge-transfer 
devices and come in three types, based 
on manufacturing technology. These in- 
clude the charge-coupled device (CCD), 
the charge-priming device (CPD), and the 
charge-injection device (CID). Another 
sensor type is the metal oxide substrate or 
MOS. All four types are in use, with the 
CID primarily used in special military and 
industrial applications. 



Image Device Format The image device 
format is related to the size of the photo- 
sensitive surface and is a measure of the 
diagonal of the scanned rectangular area. 
The most common formats for solid- 
state cameras are V 2 " and V :! ". In addition, 
as silicon target densities improve, V 4 " 
cameras are becoming popular, and 
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V 8 " cameras are under development. The 
most common formats for tube cameras 
are 1" and %". 

Due to the increased use of silicon 
targets as the sensor device in cameras, it 
is common for cameras to be specified in 
terms of their horizontal and vertical pixel 
counts. These numbers can then be mul- 
tiplied for an estimate of the total pixel 
area. A typical value is 200,000 pixels 
for a good 525-line CCTV system. This 
number, however, may not be useful 
unless it is converted into equivalent TV 
lines. For horizontal resolution this is 
accomplished by multiplying the hori- 
zontal pixel count by 0.75. 

Lenses 

After the geometry of an area to be 
assessed has been established, the selec- 
tion of an appropriate lens system to be 
used with the associated camera is impor- 
tant. Several factors must be considered at 
the same time. They are interdependent 
variables and vary with the designer's 
objectives, including the manner in which 
the video assessment system will inter- 
face with the intrusion sensing system 
and the response force. In general, the 
main purpose of lens selection will be to 
cover as much of the desired area as pos- 
sible with a minimal number of cameras 
while retaining an acceptable degree of 
overall resolution. The parameters that 
must be considered in proper lens selec- 
tion include: 

• format 

• focal length and field of view 

• f-number 

• distance and width approximation 

maximum field of view width 
maximum usable zone length 

Lens Format 

The lens format size defines the maximum 
usable image created by the lens. For 
optimal performance, the lens and camera 
formats must match. Fixed focal length 



(FFL) lenses of one format may be 
used with smaller sensor formats, but 
never with larger sensor sizes. Use of 
lenses with larger camera sensor sizes will 
create image distortion and darkening 
(vignetting) at the edges of the field of view. 
Standard lens formats are %", V 2 ", V 3 " 
and V 4 ". In addition to lens format, the type 
of iris to be used should be specified. The 
iris manually or automatically adjusts to 
optimize the amount of light reaching the 
camera sensor. Manual iris lenses are used 
when light levels are expected to be fairly 
consistent; automatic iris lenses are useful 
when there are wide variations in the 
expected light, such as full daylight to 
lower level nighttime lighting. 

Focal Length and Field of View 

Focal length is the single most important 
factor in proper lens selection. It deter- 
mines the relative magnification of the 
object. Since the format of a lens is 
known, the focal length will define the 
horizontal and vertical angles covered by 
the lens for any object distance. These 
coverage areas are referred to as the hori- 
zontal and vertical angular field of view. 

For a desired minimum resolution, the 
range (length of the coverage) of a short 
focal length lens will be less than that of 
a long one, as Figure 8.4 illustrates. But 
once the width of the field of view spreads 
out to a certain distance, the low resolu- 
tion past that point makes the camera and 
lens unusable for assessment purposes. 
This is called the resolution-limited field 
of view, also shown in Figure 8.4. 

Angular fields of view can be drawn on 
site drawings using a conventional pro- 
tractor and overlaying sheets of transpar- 
ent (tracing) paper. These overlays can 
be located arbitrarily at various points 
surrounding the clear zone to obtain 
optimal focal length and format selection 
and coverage of the clear zone while 
using a minimal number of cameras. The 
following equations may be used to cal- 
culate the horizontal and vertical angular 
fields of view. 
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Limits Imposed by Resolution Requirement 




Medium Focal 
Length Lens 



Figure 8.4 Practical Field of View versus 
Focal Length of Lens. Three different 
fields of view are superimposed to show 
how the field of view gets longer and nar- 
rower as the focal length increases 



Horizontal angular field of view 
(in degrees) = 2 x Tan 1 (W,/2F) 

Vertical angular field of view (in degrees) 
= 0.75 x (horizontal angular field of 
view) 

where: 

F = lens focal length (mm) 

W^ = width of imager active scan area 
(mm) and 



If camera is: 
Then W I = 



V 

8.8 mm 



6.4* mm 



4.8 mm 



V 

3.2 mm 



* Note: There are differences in imager width 
among manufacturers. Consult the specifica- 
tion for a particular camera to verify the width. 

An alternate technique is to deter- 
mine the geometry of the area to be 
assessed and analytically match a lens 
to it. This provides an excellent first ap- 
proximation to lens requirements. This 
technique may result in calculated 
lens requirements that do not correspond 
to a commercially available lens with 
an f-number appropriate to planned light- 
ing. Design iterations in which lens param- 
eters, lighting requirements, camera type, 
camera placement, and sector geometry 
are varied will result in a suitable system 
design. 



F-Number 

An important lens parameter is its relative 
aperture (or lens speed), which is a 
measure of its ability to gather light. The 
relative aperture is expressed as the 
f-number. The smaller the f-number, 
the more light is admitted; therefore, a 
small f-number (1 to 1.8) is desirable 
for exterior assessment applications; for 
interior applications, larger f-numbers 
can be used. 



Distance and Width Approximation 

If standard lenses (having focal lengths of 
3.5mm, 6.0mm, 12mm, 25mm, 50mm, 
75 mm, etc.) are to be used, a fast and easy 
calculation can be made to determine 
either the width of the field of view at a 
given distance from the camera, or the dis- 
tance from the camera given a specific 
width. Either of these, distance or width, 
can be approximated as follows: 



H, 



\\YD_ 
FL 



Where: 



H FO v= Horizontal Field of View, in feet 
or meters 

D = distance from camera (m or ft) 

FL = focal length (mm) 

W\ = imager width in mm (as shown 
above) 

As described above, the vertical field of 
view can then be calculated as: 



V, 



0.75 (H F 



Although useful in this form, the hori- 
zontal field-of-view equation is generally 
manipulated into the alternative: 



D = 



H FO y FL 
W, 



This representation allows calculation of 
distance from the camera, given the width 
of the assessment zone, imager width, or 
lens focal length. Normally, the camera 
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distance from the beginning of the assess- 
ment zone is the unknown quantity that 
must be determined, in order to aid in 
camera placement and estimates for cable 
lengths and power. 

As an example of distance and width 
approximation, a 65-foot-wide area, as- 
sessed with an 8 mm format (V 2 ") cam- 
era using a 25 mm focal length and 8 mm 
format lens, would have its camera placed 
approximately 254 feet away in order to 
see the entire 65-foot width. Using the 
formula above, 



D = 



65 feet (25mm) 
6.4mm 



= 254 feet 



The distance to the resolution-limited 
field of view width can also be deter- 
mined. The resolution-limited field of 
view width for assessment is based on 
experimental data to classify a 1-foot 
target. For a 600-line resolution camera, 
this is located where the horizontal field 
of view is 100 feet wide (to give 6 lines 
per foot). Using the previous example, the 
distance from the resolution-limited field 
of view to the camera would be 391 feet 
and is calculated by: 

p= 100 feet (25mm) =391feet 
6.4mm 



Maximum Usable Zone Length 

For the special case where an assessment 
system is being designed for perimeter 
use, the distance and width approxi- 
mation may be used to determine the 
maximum zone length that may be 
assessed with a particular camera and 
lens combination. Figure 8.5 shows a 
typical exterior assessment zone. Note 
that the lower field of view (bottom of 
scene on TV monitor) is not normally the 
zone width. Likewise, the upper field of 
view is not normally the resolution- 
limited field of view width. Also note that 
between the camera location and lower 
field of view, there is a blind area which 
cannot be seen by the camera. Determina- 
tion of zone length through the use of 
these distance approximations will allow 
the designer to optimize system per- 
formance in terms of resolution while 
minimizing the number of cameras. It is 
important to note that one fixed camera 
per exterior assessment zone will provide 
the required resolution, reduce cost, and 
make integration of sensors and video 
much easier. 

The maximum usable zone length is 
calculated based on zone width and reso- 
lution requirements at the end of the 
zone. It is the difference between the res- 
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Figure 8.5 Perimeter Assessment Zone Geometry. The zone width determines the near 
field of view, while the resolution determines the far field 
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olution-limited field of view distance (far 
field) and the zone width (near field) dis- 
tance. For the previous example (65-foot- 
wide zone width, 25 mm lens, and V 2 " 
format camera/lens), the maximum usable 
zone length is 137 feet (391 - 254 = 137). 
Using this technique it is easy to deter- 
mine which focal length lens is best 
suited for a specific zone size. If the 
requirement were to assess a 65-foot- 
wide, 165-foot-long zone, then a 25 mm 
lens would not work. A longer focal 
length lens would be required. It is always 
wise to select a lens that provides ade- 
quate zone coverage and the closest 
camera location to the zone. 

Near field, far field, maximum usable 
zone lengths, proper lens size, and camera 
placement distances can all be calculated 
using the formulas above, by using 
mechanical aids such as the one sold by 
Cohu and other camera manufacturers 
and distributors, or through the use of 
computer models. 

Interior Assessment Zones 

Camera layouts for interior assessment 
follow the same principles and guidelines 
as for exterior cameras. Due to the shorter 
distances generally found in interior ap- 
plications, resolution sufficient for clas- 
sification or identification is relatively 
easy to achieve. Interior cameras will still 
use the same resolution-limited field of 
view as exterior cameras, but this distance 
will be much closer to the camera. Inte- 
rior cameras generally use lenses up to 
approximately 16 mm for 7 2 " or %" format 
cameras. Lighting levels suitable for 
human comfort and safety (30 to 100 foot- 
candles) will be adequate for most 
cameras. Many interior cameras are now 
equipped with manual iris lenses and 
shuttered lighting control on the image 
device. 

Cameras mounted at the corners of a 
room just below the ceiling usually 
provide the best assessment. Corners 
away from entry points are preferred in 
order to eliminate camera tampering from 



someone below the camera and out of the 
camera's field of view. Due to the blind 
spot in the camera field of view, wide- 
angle lenses can be used to provide full 
wall-to-wall (90°) camera coverage. Tilted 
downward, the camera avoids the ceil- 
ing lights that would adversely affect the 
camera signal. This still allows viewing 
over the area and/or equipment. In typical 
interior applications, the assessment zone 
will normally contain items other than the 
asset being protected, which will effect 
the maximum usable zone length. When 
tall equipment is located in the room, a 
second camera may be required to observe 
the blind side. If a second camera is 
required, a good location may be the 
corner diagonally across from the first 
camera. 

Two examples of interior camera place- 
ment will be discussed to illustrate these 
points. Figure 8.6 shows a simple room 
using one camera and one sensor. The 
room is typical of a small office, such as a 
school principal or manager's office. There 
is a safe that contains private information 
located in a corner of the room. There are 
various pieces of furniture located in the 
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Figure 8.6 Sample Camera Placement in 
a Small Office. The sensor is in the camera 
field of view and the microwave sensor 
detection volume covers the safe contain- 
ing the assets 
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office including a desk, chairs, bookcases, 
a table, and filing cabinets. None are 
higher than 5 feet tall. A design using a 
microwave sensor and one camera is 
shown. Other variations are possible. Note 
that the camera has the sensor in its 
field of view, the safe (the asset to be pro- 
tected) is covered by the detection pattern 
of the sensor, and the microwave sensor is 
placed so that the adversary will move 
toward or away from it to maximize per- 
formance. In addition, when microwave 
sensors are used, it is important to con- 
sider the door and wall materials so that 
nuisance alarms are eliminated. In this 
case, a short detection pattern would 
produce the best results. The window 
located across from the desk should be 
covered with fine wire mesh or other 
material to eliminate interference with the 
sensor, as should fluorescent lights. To 
provide the maximum video coverage of 
the room, a board camera can be used, to 
reduce camera size and minimize the 
blind area under the camera. 

Figure 8.7 shows a sample design in a 
slightly larger room such as in a library, 
a museum, bank, or storage area. Our 
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Figure 8.7 Sample Camera Placement in 
a Computer Classroom. The camera will 
view approximately half the room, in- 
cluding the exterior doors and the PIR 
sensor. The interior door is not covered 
very well because if it opens, the door will 
shield the intruder 



example is a computer classroom. The 
room is 20 feet by 30 feet, has a set of 
double doors that exit to the outside of the 
building, one interior entry door, and 18 
computers and related equipment on 
tables in the room. 

Camera Mounting/ Support Structures 

It is highly recommended that exterior 
cameras be mounted on stable towers and 
mounts so that motion or movement in 
the wind is avoided. A wire-frame steel 
tower is unaffected by varying weather 
conditions and will not dry out and twist 
over time as do wooden poles. To com- 
pensate for the twisting action of the 
wood, cameras must be repositioned to 
maintain the proper view of the assess- 
ment area. 

If exterior cameras are positioned so 
they look over the horizon, there will 
be a period of time each day when the 
rising or setting sun will blind the camera 
and allow an adversary to pass through 
the perimeter. Similarly, interior cameras 
aimed into lights will create glare or 
bright spots that will wash out any usable 
images. In addition, a camera focused 
under one type or level of light and oper- 
ated under a different light level or with 
a different lens mount or format will 
result in poor focus. It is recommended 
that exterior solid-state cameras be 
focused with the iris fully open at dawn 
and dusk to get good focus through the 
entire depth of field. Incorrect camera 
placement can result in a horizontal field 
of view too narrow for the near field or not 
sufficient to see a person (or other target) 
at the end of the zone. 

Cameras must be installed so that no 
light sources are in the field of view. 
Direct light can cause blooming of the 
image or allow the auto-iris lens circuitry 
to reduce the lens aperture. Possible 
sources include perimeter lighting, the 
sky, exterior lighting, objects capable of 
reflecting light, and interior lighting. 
Viewing portions of the sky must be 
avoided to eliminate exterior camera 
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blinding at dusk and dawn when the sky 
is considerably brighter than the ground, 
regardless of which direction the camera 
is facing. Cameras must never be angled 
to look above the horizon. Considerable 
care must be taken because camera blind- 
ing from unexpected light sources is diffi- 
cult to predict prior to installation and is 
one of the most frequent problems later 
encountered. When there is a choice, 
north/south exterior perimeter sections 
should have the cameras facing north to 
minimize sun reflections at low sun 
angles. Illumination sources in the field of 
view may have to be reoriented and/or 
shielded to prevent camera blinding. A 
perimeter section adjacent to a roadway 
presents problems from vehicle head- 
lights and taillights, even when the road- 
way is a considerable distance from the 
assessment camera. 

Exterior cameras should be mounted at 
heights that permit them to be tilted down 
to view the entire assessment area. With 
the cameras tilted down, the horizon is 
not in the field of view and glare during 
sunrise and sunset is reduced. In addi- 
tion, the chance of snow and ice getting 
on and sticking to the camera enclosure 
faceplate is reduced. A typical camera 
mounting height is 20 to 30 feet above the 
assessment area surface but below the 
lighting system. 

Use of PTZ mounts and cameras should 
be avoided for assessment cameras due to 
timing, reliability, and operation issues. 
Use of PTZ cameras may introduce vul- 
nerabilities due to the likelihood that they 
will be pointing in the wrong direction at 
the time of sensor activation and may not 
be able to rotate to the appropriate position 
fast enough to catch a fast-moving adver- 
sary, particularly over a short distance. 
This effect is magnified if a slow video 
recording system is used to help with the 
assessment. If the time for the PTZ and/or 
the recording system is not fast enough to 
capture one video frame at the time of the 
alarm and another frame a fraction of a 
second later, the system may not capture 



the adversary in time to present a useable 
assessment image. Can the PTZ rotate to 
the proper position in time to still catch an 
adversary penetrating a sensored location? 
If so, how many alarms can be processed 
in one second by the system? Depending 
on the application, fast alarm reporting 
and synchronization with alarm assess- 
ment equipment can make a critical dif- 
ference in whether or not the operator will 
make an accurate assessment. An inaccu- 
rate assessment could result in dispatch- 
ing the response force to a nuisance alarm 
or not sending the responders during an 
attack. 

Pan/tilt camera mounts may be effec- 
tively used in surveillance applications 
where remote control of the camera's 
position and pointing angles is desirable. 
In limited cases, this unit can provide 
a useful backup to assessment cameras 
if properly located. These mounts should 
not be used in place of fixed-focal- 
length assessment cameras that have been 
carefully placed to provide the maxi- 
mum assessment value. Use of pan/ 
tilt systems compromises effective, timely 
assessment. 

Older pan/tilt mounts are rated by the 
maximum allowable load they can posi- 
tion and by the speed of rotation. Newer 
pan/tilt mounts can provide unlimited 
travel in the pan mode by the addition of 
electrical slip rings. Faster units cost 
more, and their controllability at high 
speeds is limited by the operator's orien- 
tation perceptions from a remote location. 
One major disadvantage of the pan/tilt 
system is the requirement for continuous 
operator attention while working with 
such a system. No other activities can 
be monitored by an operator while the 
pan/tilt unit is in motion. 

Exterior cameras will require environ- 
mental housings to protect them from 
temperature extremes and precipitation. 
There are two types of enclosures to 
protect cameras from the elements. The 
first type is the integral environmental 
housing that forms the outer shell of the 
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camera. It is quite rigid and sturdy and 
can be pressurized with dry nitrogen 
and equipped with thermostatically con- 
trolled integral heaters. A sunshade can 
be attached to overhang the lens and 
deflect light or precipitation from the 
glass faceplate. In high winds, the face- 
plate may not remain entirely free of 
precipitation, and some compromise in 
visual assessment can be expected. 

The second option is to mount a camera 
inside a separate sheet metal or fiberglass 
housing, which permits access to the 
camera by a hinged or removable lid. 
These housings can be equipped with 
heaters, insulation, fans, defrosters, wind- 
shield washers, and windshield wipers. 
All of these functions can be automati- 
cally controlled except the windshield 
washers and wipers. The washers and 
wipers must be remotely controlled from 
the central assessment station. 

These separate housings must be large 
enough to contain the camera, lens, and 
cable connectors. Their chief advantage is 
the accessibility to the camera for adjust- 
ments, such as lens focusing. They cannot 
be pressurized, so some dirt and dust 
accumulation can be expected inside 
these housings. The windshield washers 
and wipers have proved to be a con- 
siderable maintenance problem, and the 
washers are not recommended unless 
very unusual environmental conditions 
exist. Washer reservoirs, which must 
be located at the camera, compel more 
frequent access to the camera location. 
The windshield wipers, if kept properly 
adjusted and free of ice, can maintain ade- 
quate assessment in high precipitation 
situations where the non-wipered camera 
faceplate may have problems with assess- 
ment. Conditions at each site would deter- 
mine the need for these devices after 
considering their added maintenance 
requirements. 

A separate environmental housing will 
require additional wiring to provide the 
power necessary to operate the electrical 
equipment. A remote control system will 



be required for the operation of wind- 
shield wipers and washers, if used. These 
remote control systems can be furnished 
by the housing manufacturer or are avail- 
able from other manufacturers, such as 
those providing remote control of other 
camera-related functions like pan/tilt 
mounts and zoom lenses. 

Lighting System 

For a given scene to be visible to a camera, 
the scene must be illuminated by natural 
or artificial light and must reflect a certain 
amount of this light into the camera lens. 
The function of the lighting system is to 
illuminate the assessment zone evenly 
with enough intensity for the chosen 
camera and lens system. Light fixtures 
should be mounted well above camera 
height. This will prevent these bright light 
sources from intruding on the camera's 
field of view. 

Camera Sensitivity 

The sensitivity of a CCTV camera can be 
defined as the minimum amount of illu- 
mination required to produce a specified 
output signal. The following factors are 
involved in producing a TV signal: 

• Illuminance level of the scene 

• Spectral distribution of the illumina- 
tion source 

• Object reflectance 

• Total scene reflectance 

• Camera lens aperture 

• Camera lens transmittance 

• Spectral response of the camera 
imager 

• Video amplifier gain, bandwidth, 
and signal-to-noise ratio 

• Electronic processing circuitry 

Camera sensitivity is usually specified 
as the minimum illuminance level that 
will produce a full 1-volt peak-to-peak 
video signal. The specification should 
state whether the indicated illuminance 
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level is the scene illuminance or the 
faceplate illuminance. The illumination 
source is usually an incandescent lamp 
operating at a color temperature of 2,854° 
Kelvin. In some cases, the parameters 
used to claim this sensitivity are unreal- 
istically assumed to indicate a better per- 
formance. Two of the favored parameters 
are higher scene reflectances than are 
normally encountered and greater trans- 
mittance than is commonly available in 
standard auto-iris lenses with neutral- 
density spot filters. 

Scene Illumination 

The amount of light necessary to produce 
a usable video signal from any video 
camera is a function of: 

• The type and brightness of the source 

• The amount of light energy illumi- 
nating the scene of interest 

• The portion of the light reflected 
from the scene 

• The amount of light transmitted by 
the lens to the imager 

• The sensitivity of the imaging device 
itself. 

An understanding of the relative levels of 
scene illumination produced by natural 
sources, the amount of light reflected from 
typical scenes, and the resultant faceplate 
illumination levels required by the variety 
of image tube and solid-state imagers is 
important to the successful deployment of 
even the simplest CCTV system. 

The percentage of light reflected from a 
scene (reflectance) depends on the inci- 
dent light angle and on the texture and 
composition of the reflecting surface. For 
natural illumination, the reflectance of 
various scenes is relatively independent 
of the angles of incidence and reflection. 
Table 8.1 lists some common surfaces and 
their approximate reflectances. 

Parameters 

The two most important parameters of a 
lighting system for CCTV are its minimum 



Table 8.1 Typical Scene Reflectances of 
Some Common Surfaces. 



SURFACE 


REFLECTANCE (%) 


Empty asphalt surface 


7-10 


Sandy soil, wet 


15-20 


Grass-covered area with 


20-25 


trees 




Red brick building 


30-35 


Sandy soil, dry 


30-35 


Unpainted concrete 


35-40 


Smooth surface 


60-65 


aluminum 




Snow-covered field 


70-75 



intensity and its evenness of illumination. 
The intensity must be great enough to 
ensure adequate performance of the 
chosen camera system. A minimum of 1.5 
foot-candle (fc) is required for a camera 
system using an Fl.8 or faster lens and a 
solid-state imager (Greenwoll, 1991). This 
assumes a ground-surface reflectivity of 
25%. Of equal importance is the evenness 
of illumination, which is characterized by 
the light-to-dark ratio (maximum inten- 
sity to minimum intensity). An excessive 
light-to-dark ratio will produce unaccept- 
able pictures in which the bright areas 
appear washed out, and the darker areas 
appear black due to lack of light. A design 
ratio of 4 : 1 is preferred to allow for envi- 
ronmental and other degradation factors 
to achieve a 6 : 1 maximum over time. 

Cameras are light-averaging devices, so 
when deploying them it is necessary 
to assure that the light level in the 
entire camera field of view is illuminated 
evenly, not only the assessment area. 
As shown in Figure 8.8, light contours 
are distributed throughout the field of 
view, and the entire field of view con- 
tributes to the light-to-dark ratio, not just 
the area between the fences. Computer 
programs that model the expected light 
level from a variety of lamps are available 
and can be used to assist in the initial 
design and layout of exterior and interior 
lighting. These results should be vali- 
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Figure 8.8 Computer Output of Light Contours in an Exterior Perimeter. The brightest 
and darkest spots are not necessarily located between the two fences. The areas under 
the light and outside the outer fence will also be in the field of view. These values will 
determine the light-to-dark ratio, not the values within the assessment zone 



dated by measuring actual light levels 
in an area with similar conditions as 
expected in the application. After imple- 
mentation of the final lighting design, 
lighting surveys should be performed to 
establish a baseline light-to-dark ratio and 
periodically thereafter, in order to estab- 
lish the proper maintenance and replace- 
ment schedule. 

Types of Lighting 

Light sources can be divided into two 
classes — natural and artificial. Natural 
lighting includes sunlight, moonlight, and 
stars. Sunlight and moonlight contain 
both visible light and IR radiation. In 
addition, they are broadband sources, 
that is, they contain all colors and wave- 
lengths of visible light. The spectral 
content of light is important when design- 
ing a video subsystem because a system 
using color cameras and monitors will 
need broadband light, while a system 
using black-and-white components will 
not. Outdoor lighting systems generally 
rely on sunlight during the day and add 



lighting for nighttime operation. Occa- 
sionally, it may be necessary to supple- 
ment the daylight with artificial light, 
such as on dark overcast days. Indoor 
systems can be supplemented by light 
coming in through windows or skylights, 
but generally they use some form of arti- 
ficial lighting all the time. 

Lighting sources include incandescent, 
mercury vapor, metal halide, fluorescent, 
and sodium vapor. Mercury vapor, metal 
halide, and sodium vapor sources are gen- 
erally used in outdoor applications, while 
fluorescent and incandescent are typically 
used indoors. Incandescent lamps pro- 
vide good color rendition, but are inef- 
ficient and have a relatively short lifetime. 
One interesting feature of incandescent 
lighting is that only a small portion of the 
radiation emitted is in the visible region. 
Most of the energy emitted is in the IR 
region, due to the characteristics of the 
tungsten filament (Illuminating Engineer- 
ing Society, 1981). 

Mercury vapor lamps are more efficient 
than incandescent and provide good color 
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rendition. Most street lighting is mercury 
vapor. Metal halide lighting is similar to 
mercury vapor, but is more efficient and 
has better color rendition. Mercury vapor 
lamps have a rated life of 24,000 hours 
compared to the 6,000 hours of metal 
halide lamps. Fluorescent lamps provide 
good color rendition, high efficiency, and 
long life (up to 17,00 hours) but cannot 
project light over long distances. 

The most efficient forms of outdoor 
lighting include high- and low-pressure 
sodium. As the name implies, the differ- 
ence between these two types is the pres- 
sure at which the sodium vapor forms and 
produces light (Illuminating Engineering 
Society, 1981). As a result of this pressure 
difference, low-pressure sodium lamps 
are more efficient, but emit almost mono- 
chromatic yellow light at approximately 
589 nanometers (nm), which makes them 
unusable with color cameras. High- 
pressure sodium lamps are less efficient 
but contain all visible frequencies (Illu- 
minating Engineering Society, 1981), mak- 
ing them more effective when used with 
color CCTV cameras. 

One additional note concerning light- 
ing — if lighting is lost, varying times are 
required to restrike (reenergize) the light 
source. Incandescent lamps are instanta- 
neous and fluorescent lighting is near 
instantaneous, depending on the time 
needed to create an arc in the tube 
(Illuminating Engineering Society, 1981). 
Mercury vapor lamps typically require 3 
to 7 minutes, and metal halide lamps may 
be as long as 15 minutes (Illuminating 
Engineering Society, 1981). High-pressure 
sodium lamps generally restrike in less 
than 1 minute and low-pressure sodium 
lamps in 7 to 15 minutes (Illuminating 
Engineering Society, 1981). Comprehen- 
sive reviews of lighting types and speci- 
fications are available (Illuminating 
Engineering Society, 1981; Kreugle, 1995; 
Fennelly, 1996). 

In general, low-pressure sodium vapor 
lamps are a good choice for exterior illu- 
mination because of their energy effi- 



ciency. These lamps may become difficult 
to procure as time progresses, so compro- 
mises on the type of light must be made. 
Light fixtures should be mounted well 
above camera height. This will prevent 
these bright light sources from intruding 
on the camera's field of view. 

In addition to lighting sources, lighting 
types include: 

• Continuous — a set of fixed lumi- 
naires that provide continuous illu- 
mination during the hours of dark- 
ness. This is the most common form 
of facility lighting. 

• Standby — similar to continuous in 
terms of placement, but luminaires 
are not continuously lighted. Instead 
they are activated when suspicious 
activity is suspected or detected by 
the guard force. The disadvantage to 
this method is that it can alert the 
adversary as to detection and allow 
for an adjustment of tactics. 

• Movable — this type of lighting can be 
stationary or portable and is used to 
supplement other lighting, such as 
manually operated searchlights. 

• Emergency lighting — may be used as 
a backup to the other types or in 
the event of power failures or other 
emergencies that may prevent the 
primary system from operating. This 
will depend on the presence of 
generators or batteries as alternate 
sources of power. 



Transmission System 

The overall function of a video transmis- 
sion system is to connect the remote 
cameras to the local video monitors in 
such a way that no undesirable effects are 
introduced to the video signal. This trans- 
mission system should have a bandwidth 
at least that of the cameras being used in 
the assessment system. 

Video transmission may be accom- 
plished in a number of ways. One of the 
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most widely used techniques for alarm 
assessment purposes using multiple 
cameras is coaxial cable transmission, 
which may be base-band video or video- 
modulated radio frequency. Fiber optics 
is also a good means for video trans- 
mission and is becoming more widely 
used. Microwave links and optical 
(infrared) systems are also used in some 
installations. 

Bandwidth 

The transmission system bandwidth is 
related to the resolution of the cameras 
and monitors. Using the approximation of 
80 lines of horizontal resolution being 
equivalent to 1 MHz of bandwidth (in a 
525-line, 60-Hz system), and considering, 
for example, a camera with a specification 
of 600 lines of horizontal resolution, 
a 7.5-MHz bandwidth will be required. 
For maximum cost-effectiveness and 
optimum system performance, the band- 
width capabilities of all applicable system 
components should match. Monitor reso- 
lution and bandwidth capabilities are 
generally stated in lines of horizontal 
resolution, but of the two components, the 
camera is usually the limiting factor for 
optimized system bandwidth. 



Line Loss 

All copper/coaxial transmission lines, 
including video cables, will have resistive 
and reactive losses associated with them. 
With video cables, the loss is primarily a 
function of the distributed interconductor 
capacitance and core resistance. This 
loss is normally expressed in decibels 
(dB) per unit length (at various operating 
frequencies) or capacitance per unit 
length. Attenuation increases with both 
frequency and section length and varies 
widely with the particular cable type in 
use. For a given distance and frequency, 
the cable attenuation in decibels may be 
determined. If cable loss is greater than 
about 3dB at the uppermost system- 
operating frequency, some form of signal 



conditioning will be required to obtain 
satisfactory performance. 

Signal Conditioning 

The selection of equipment for signal con- 
ditioning is based primarily on the amount 
of attenuation experienced by the video 
signal during cable transmission and the 
amount of noise picked up during the 
transmission. This equipment includes 
video equalizers and hum clampers. 

Video Equalizers Equalizers are used 
to compensate for cable attenuation at 
higher frequencies. An equalizer at the 
receiving end of the cable is commonly 
used in installations since many cable 
losses encountered are usually correctable 
with one equalizer at the receiving end. In 
addition, this location makes the neces- 
sary equalizer alignment much simpler, as 
the equalizer output can be adjusted 
while the video test signal is being 
monitored. 

Most commercially available equalizers 
have an upper-frequency gain limit of 
about 30 dB. This corresponds to the loss 
experienced in about 1500m of RG-11 
cable at 10 MHz. Use of an equalizer at 
both ends of the cable (pre- and post- 
equalization) will extend the gain limit to 
about 60 dB. 

Hum Clampers A clamper is a diode 
circuit used to change the DC level of a 
waveform without distorting the wave- 
form. Of prime importance in the selec- 
tion of a clamper is its ability to remove 
hum from the video input signal. Power- 
line induction or ground-loop currents, 
both of which might be eliminated with 
proper design, usually cause hum. A wide 
range of commercial hum clampers are 
capable of removing power line frequency 
hum. Isolation transformers are used to 
eliminate ground-loop currents. 

Fiber-Optic Transmission Fiber-optic 
transmission does not require signal con- 
ditioning with equalizers and hum clam- 
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pers. Fiber optics uses an optical path 
rather than an electrical path for trans- 
mission. The conductor is a glass or 
plastic fiber rather than copper. A trans- 
mitter to convert the electrical signal to an 
optical signal is required at the camera 
end. At the display area, a receiver is 
required to convert the optical signal back 
to an electrical signal. Ground loops, 
induced noise, and surges from lightning, 
which can damage other video transmis- 
sion equipment, do not occur with fiber 
optics (Malone, 1991). 



Video Switching Equipment 

Most alarm assessment systems use more 
cameras than display monitors. For this 
reason, a video switcher is used to 
connect the multiple video signals (cam- 
eras) with one or more monitoring devices 
(monitors and video recorders). The asso- 
ciated alarm-sensor system generally 
interfaces with the switching system in 
such a way that an alarm in any sector 
causes the associated camera output to 
be automatically displayed on a local 
monitor. 

The simplest type of switcher connects 
one of a number of inputs to a single 
output. One input is connected at a time. 
Multiple output switchers can switch one 
or more inputs to any combination of 
outputs. In a fully connected switcher, 
any input can appear on any output, one 
input can go to all outputs, or different 
inputs can go to each output. 

Switching can be either passive or 
active. In a passive switcher, control is by 
manual input. The actual switching is 
performed by pushbutton contacts, and 
the video signal is routed through the 
switcher with no electronic conditioning 
or timing. Active switchers include input 
and output amplifiers that provide sig- 
nal isolation, impedance matching, and 
amplitude control. Electronic processing 
of the video signal can be included to 
control the timing of switching between 



video signals. The switching path for the 
video signal is through relay contacts or 
semiconductors. 

Some widely used switching systems 
include: 

• manual switching (passive system) 

• sequential switching (all camera 
outputs are sequentially scanned) 

• switching that is alarm activated 
(alarm sector camera information is 
automatically presented to the output 
regardless of the selected input 
before alarm activation) 

• remote switching (some switching is 
done prior to entry of the signals into 
the security command center) 

Switching that is computer integrated 
can be complex and expensive. It 
represents the ultimate in state-of-the- 
art sophistication for video assessment 
system control. With computer control, 
priority ranking of multiple alarm-sector 
displays, automatic recording control, 
sequential switching pattern control, and 
other features are also possible. Addi- 
tional discussion of computer control and 
alarm priority will appear in the next 
chapter. 



Video Recording 

The purpose of the video recording 
system is to produce a record of an event. 
In addition to providing historical infor- 
mation for subsequent study, it provides 
an aid to the real-time assessment by 
adding instant replay stop-action to the 
system. 

The most prevalent system in use for 
CCTV recording is the helical scan system 
(videotape). This system has a relatively 
simple design and is inexpensive, reli- 
able, and easy to operate and maintain. 
Another recording system uses a solid- 
state memory to store frames of video 
data in a looping manner. This sys- 
tem allows instantaneous recording and 
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requires considerably less maintenance 
than the other two systems. The most 
recent addition to recording is the use of 
digital memory and a PC-based system 
to record and store compressed digital 
images on the hard drive of the computer. 
Although all three systems have the same 
basic function (storing video data), the 
characteristics of their usage and price are 
entirely different. 

Characteristics 

Videocassette recorders (VCRs) provide 
long-term storage of large quantities of 
video, are able to store up to several hours 
of real-time video data, and are readily 
removable for later use or observation 
on other machines. The mechanical 
components and tape interface of video- 
tape recorders do not support continuous 
instantaneous recording capabilities. 
Components, like recording or playback 
heads, require frequent maintenance to 
preserve recording capabilities if the 
machine is set in a continuous ready-to- 
record mode. Repairs can be expected 
every several months. Videotapes have a 
limited lifetime and should be replaced at 
least as often as the manufacturer recom- 
mends, and perhaps more often if record- 
ing quality decreases. 

Solid-state memories will record a 
frame almost instantaneously. Its reliabil- 
ity is the best of the recording systems 
because there are no moving parts. The 
most popular devices use a minimum of 
512 pixels x 512 pixels x 8-bit resolution 
memory to map the video image. This is 
the amount of memory required to store 
one frame (2 fields). As noted earlier in 
this chapter, 512 pixels is equal to 384 TV 
lines (512 x 0.75). The 8 bits refer to the 
shades of gray, so in this case there are 256 
shades of gray available within each 
image. Current systems utilize one of 
two techniques. Either two frames are 
recorded (typically half a second apart) 
and played back in a toggle mode to exag- 
gerate any motion in the video scene, or a 
small loop of information (a few seconds 



worth) is recorded and played back for 
real-time review by the operator. Solid- 
state memories utilize a large amount 
of digital memory to store one video 
frame. Real-time recording, even for short 
periods of time, tends to be expensive 
with this system. Digital recorders are 
quickly dropping in price and increasing 
in capacity, but most recorders use some 
type of digital compression, which may 
make a difference in some applications, 
such as those using the image in legal 
proceedings. Because digital images are 
easily modified or manipulated using 
readily available software and computers, 
the legal acceptability of these images is 
still in question. 

The decision to use a tape, solid-state, 
or digital recorder depends on the need 
for instantaneous recording and the 
required resolution. Solid state will be 
required if: 

• the assessment area is small or con- 
tains no barriers or other delay ele- 
ments, allowing an intruder to pass 
through quickly (in less than 5 
seconds); 

• multiple simultaneous alarms can be 
expected, requiring successive obser- 
vation and assessment; 

• the system operator is required to 
perform other functions that may 
prevent him or her from assessing 
alarms within a very short time after 
receiving the report of their occur- 
rence. 



Video Monitor 

Video monitors convert an electrical 
signal to a visual scene on the face of the 
output display. For maximum picture 
detail, the monitors should have a band- 
width at least that of the cameras being 
used in the assessment system. Monitors 
are similar to home television receivers in 
function but generally have wider band- 
widths and do not have RF tuning. Low- 
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impedance (75 ohm) or high-impedance 
(looping) inputs are normally provided. 
High-impedance looping allows a single 
video signal to drive multiple inputs 
(loads). 

The use of black-and-white or color 
monitors is no longer strictly based on 
cost, because the two types are now 
comparably priced. Some applications 
might benefit from the use of color 
monitors, particularly indoors. For ex- 
terior applications, the cost of installation 
and maintenance of a lighting system that 
will allow for color images may be 
prohibitive. For example, low-pressure 
sodium lights will work very well with 
black-and-white cameras, but due to their 
lack of spectral content, will not produce 
useful color images. Use color monitors 
if they provide an advantage, not just 
because they are available. In an exterior 
perimeter protection system where there 
is a need to differentiate between a person 
and a small animal, only the classification 
level of resolution is required. Color 
cameras and monitors will not provide 
any significantly useful information at 
this point. If an unauthorized human 
causes an alarm, it can be assumed to be 
an attack and the response force can be 
deployed. At this point, additional inte- 
rior cameras, which can be color, can help 
track the adversary. Color and black-and- 
white monitors may also be mixed in a 
video subsystem. 

The corresponding maintenance issues 
may offset the added capability of color 
monitors (and cameras) when using color 
video. For example, questions arise as to 
color rendition (is the jacket black or dark 
blue), monitor setup, and white balance 
levels, due to different perceptions by 
human observers. Some observers may 
prefer more red or green, or different 
brightness and contrast. These individual 
differences can compromise the effective- 
ness of the video assessment system. 

When aiming and focusing cameras, 
each zone should be presented approxi- 
mately the same way on the monitor. Gen- 




Figure 8.9 Monitor View of an Assess- 
ment Zone. Each assessment zone, inte- 
rior or exterior, should be centered on the 
monitor and occupy approximately 75% 
of the monitor area 



erally, the assessment zone should occupy 
75% of the monitor area and be centered 
on the screen. A representation of this is 
shown in Figure 8.9. This will make alarm 
assessment easier by presenting a consis- 
tent view to the operator. 

System Compatibility 

A level of monitor performance compati- 
ble with other system components is an 
important concern since the video picture 
monitor is the final output in most assess- 
ment systems. Monitors use the same 
dimensions for horizontal resolution as 
video cameras — television lines. The 
number of active scan lines limits the ver- 
tical resolution of both monitors and 
cameras. There are commonly 340 televi- 
sion lines for a 525-scan-line system; 
hence, the horizontal resolution alone 
may be specified. Monitor resolution is 
frequently expressed with a certain level 
of screen brightness or illuminance. Sep- 
arate degrees of resolution are specified 
for the center (where resolution is nor- 
mally highest) and corners of the screen. 
Monitors having 700 to 800 television 
lines of horizontal resolution are often 
used in 525-scan-line-rate systems operat- 
ing at up to 10 MHz of horizontal system 
bandwidth. 
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An ideal monitor would be capable of 
displaying white, black, and an infinite 
number of shades in between, whereas a 
bistable monitor could display only white 
or black regardless of video input. Moni- 
tors capable of ten discernible shades of 
gray or better have produced acceptable 
results in existing assessment systems. 
Terry (1992) has published an evaluation 
of color monitors. 

Video Controller 

The video controller is the main interface 
between the alarm sensor system and the 
alarm assessment system. This controller 
will automatically control the inputs and 
outputs of the switcher, keep track of the 
recorder, and display the scenes on the 
monitor. 

The video controller consists of a 
microprocessor, minicomputer, or other 
logic interface that automatically provides 
control to the switcher, recorder, and any 
device needing information transfer to 
the assessment system. With this type of 
system control, all alarm data, switch- 
ing/recording commands, and status in- 
formation can be transferred between 
the video system and the host system 
through one communication line. This 
type of system allows the host to be free 
to process other data while the video con- 
troller is handling the video assessment 
data. In complex assessment systems, the 
video controller might be required to 
interface with time/date generators, char- 
acter insertion, video presence detectors, 
environmental housing controls, and any 
other part of the assessment system 
reporting or requesting current informa- 
tion. Several large matrix-switching con- 
trollers are available that include some of 
these capabilities. 

Additional Design Considerations 

The video assessment system should be 
designed as a component of the total 



intrusion detection system. Many interac- 
tions between the video system, intrusion 
sensors, and display system should be 
considered during conceptual design. 
Examples include: 

• site/sector layout — layout of sensors 
so that assessment is possible at a 
reasonable cost 

• video/sensor interference — design of 
the assessment system so as not to 
contribute to the cause of sensor nui- 
sance alarms 

• monitor location — location of video 
monitors in the display system 

• construction — common construction 
and installation requirements, tech- 
niques, and locations 

Site/Sector Layout 

One requirement of a perimeter assess- 
ment system is to display as much as pos- 
sible of the clear zone including both the 
inner and outer fences. Camera/lens selec- 
tion and positioning must ensure detec- 
tion and classification of any visible cause 
of fence and sensor alarms for the clear 
zone at any time. For these reasons, it is 
important that the following criteria 
be observed: (1) The inner/outer fence 
spacing should be relatively uniform; (2) 
minimum width restrictions for the clear 
zone should be considered; (3) grading or 
removal of vegetation of the clear zone 
should be performed; and (4) adequate 
area illumination must be provided. 
Changes from these criteria will generally 
reduce system efficiency and increase 
overall system cost by increasing the 
camera and equipment requirements to 
achieve an acceptable level of system 
effectiveness. As noted previously, each 
exterior assessment zone should use one 
fixed camera per zone to provide the 
assessment capability. 

The effect of using more than one 
camera to assess a single alarm on inte- 
rior locations should be considered. At 
smaller or lower-threat facilities, with 
only a few cameras or with particular 
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video-coverage requirements, multiple 
cameras per alarm may provide ac- 
ceptable assessment without an undue 
duplication of display and recording 
equipment. Large systems will tend to be 
simpler if each alarm is assessed by only 
one camera since decisions regarding 
which cameras are to be switched will be 
simpler and the operator will be able to 
concentrate on a limited selection of 
video for review. 

Video and Sensor Interference 

Typical exterior systems require instal- 
lation of camera towers near the area 
where sensors are installed. Tower height 
and location must be chosen so that 
pole vibration caused by wind does not 
create a source of seismic energy 
sufficient to cause buried cables to alarm. 
In addition, camera towers should be 
placed to prevent their use by an adver- 
sary in crossing the perimeter or isolation 
zone. Power, video, sync, and control 
lines must be placed where noise cannot 
be induced between video cables and 
sensor cables. 

Monitor Location 

Video monitors should be installed in 
the system control console in a location 
that allows effective, rapid assessment 
without interference from other system 
controls and outputs. Additional details 
regarding this aspect of system integration 
will be addressed in the next chapter. 

Construction 

Installing signal and power-distribution 
cables and modifying buildings for equip- 
ment installation will be common for 
many parts of an intrusion detection 
system. Decreased construction costs 
and more effective system design will 
result from combining sensor subsystem 
and assessment subsystem requirements, 
such as conduit and junction box in- 
stallation. Room for system expansion 
should be included within these con- 
struction elements. 



Alarm Assessment by 
Response Force 



Video alarm assessment can be comple- 
mented by visual checks from guards. 
There are situations in which alarm 
assessment will have to be done by the 
guard force. If the video assessment 
system is not operable (due to mainte- 
nance or weather) or if video assessment 
is not available for a particular situation 
(for use within some classified facilities, 
e.g.), the guard force must be able to assess 
the alarm. 

Regardless of whether alarms are as- 
sessed using video or guards, the alarm 
must be assessed quickly after it is 
reported to be most effective. For those 
facilities that use towers, guards in towers 
can provide effective assessment if the 
number, design, and placement of the 
towers are adequate to provide complete 
visual coverage of the perimeter. Patrols 
or roving guards who are sent to investi- 
gate an alarm can provide effective assess- 
ment only if they are able to respond in a 
timely manner (i.e., before the intruder or 
nuisance source disappears) and there is 
still ample delay in the system. System 
design to enable effective alarm assess- 
ment will be discussed in more detail in 
the next chapter. 



Integration with Safety Systems 

Today it is a common practice to add 
many CCTV cameras to a facility to help 
in determining the presence of a safety 
critical event. While these measures may 
reduce labor costs, there may also be a 
decrease in security system effectiveness. 
In large or complex facilities, it may be 
better to separate these functions so that 
the security force will not be distracted by 
safety events that may mask a malevolent 
attack on the facility. In simple facilities 
with low-level threats, co-location of 
these functions may be acceptable, but 
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this may still compromise security system 
effectiveness during an attack. 



ney or law enforcement agency in the 
jurisdiction is recommended. 



Legal Issues 



Camera Selection Procedures 



Proper attention to the right to privacy is 
a major consideration when using CCTV 
systems. It is generally inappropriate to 
locate cameras in locker rooms, bath- 
rooms, or other places where employees 
or visitors have a reasonable expecta- 
tion of privacy. Use of hidden or covert 
cameras is legal under many circum- 
stances, but to be certain, consultation 
with an attorney is recommended to be 
sure that legal authority exists for this use. 
It is also a liability to indulge in the use 
of dummy cameras at a facility. This estab- 
lishes an expectation of protection, which 
can create a liability if a person is under 
attack and believes that the attack has 
been noted and help is on the way. It is 
also an accepted legal practice to post 
signs informing people that an area is 
under video monitoring or surveillance. 
These signs are often placed at facility 
entry points to minimize the number of 
signs and to alert visitors and site person- 
nel of the presence of CCTV. 

The use of recorded video information 
must meet certain standards to be admis- 
sible as legal evidence. Depending on 
the jurisdiction, the following may be 
required: quality of image, time/date 
stamp, percent of scene occupied by the 
subject, and the presence of an eyewit- 
ness. In addition, in many states the pres- 
ence of a unique scene identifier is also 
required. This identifier serves to conclu- 
sively establish where the image was 
recorded. For example, it is necessary 
to differentiate one office or hallway 
from another. Electronic images are now 
using digital watermarks to assure image 
integrity and eliminate tampering, but 
they have achieved varying levels of legal 
acceptance in some states. To be certain 
that recorded images will meet legal 
requirements, consultation with an attor- 



Camera selection should be based primar- 
ily on the sensitivity required for a full 
video output signal in the lighting envi- 
ronment in the area to be assessed. The 
sensitivity must match the lighting design 
goals, regardless of the imager. The reso- 
lution of the imager is next in importance 
because it will determine the number of 
cameras required for a given straight-line 
perimeter selection. The greater the reso- 
lution, the greater the spacing between the 
cameras can be. The object resolution 
required should be determined before the 
camera selection, but in practice, the 
desired object resolution may be slightly 
modified when the possible camera 
choices are limited. 

Camera format is an important consid- 
eration in the camera selection process. 
The format size determines the sensitivity 
of the image tube, with smaller formats 
having reduced sensitivity as well as 
lower resolution. The tradeoff in this sit- 
uation is price, but the cost of the camera 
is only part of the total system cost. 
Format size also affects the field of view, 
which dictates the number of lenses avail- 
able in a variety of focal lengths. The 
requirements of special design lenses for 
nonstandard focal lengths should be con- 
sidered and evaluated at considerable 
length before committing to such action. 

During the selection process, evaluation 
of cameras should be undertaken under 
the real lighting environment expected at 
the site. In many cases, the experience of 
other facilities can help to reduce the 
number of options considered. Manufac- 
turers' literature should not be the sole 
criteria in camera selection. The specifi- 
cations, or the conditions, under which 
specifications are developed, may be 
unrealistic in relation to the design 
problem at hand. 
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Other considerations in the selection 
process should include the difficulty in 
maintenance, the packaging of the camera 
for the environment in which it will be 
used, the maintenance support from 
the manufacturer, and the documenta- 
tion supporting the equipment. Docu- 
mentation should include operating, 
adjustment, and maintenance procedures; 
theory of operation; block diagrams; 
schematics; and manufacturer and com- 
mercial replacement parts lists. Serious 
consideration should be given to elimi- 
nating any manufacturers' product that 
does not include this documentation. 

Acceptance Testing 

A video assessment subsystem requires 
a conscientious approach to installation 
and maintenance in order to assure 
maximum performance. An incoming 
inspection should be made of any cameras 
purchased for evaluation or for the final 
system installation. Obviously, different 
parameters will be evaluated for the two 
situations. Evaluation cameras will be 
compared to other cameras purchased 
for the same purpose. Upon receiving 
cameras for the final installation, camera 
performance should be evaluated to 
determine conformity with the manufac- 
turers' specifications, compatibility with 
the design criteria, and consistent perfor- 
mance from camera to camera. Experience 
has shown that final inspection at the 
manufacturers' plant is not consistent, 
and performance may deviate consider- 
ably from the specifications. Frequently 
some equipment has been damaged or had 
parts shaken loose in transit. Operating 
the equipment continuously for a few 
hundred hours before final installation 
(equipment burn-in) usually decreases the 
maintenance problems during the instal- 
lation phase of perimeter construction. 
Any problems discovered at this point 
should be referred to the manufacturer for 
resolution while still under warranty. 



Exterior cameras should be installed 
according to manufacturer specifications 
and focused at night under the same type 
of lighting expected in normal operation. 
If possible, cameras should be evaluated 
for their resolution capabilities prior to 
purchase. One simple method of checking 
for camera resolution is to use appropri- 
ately sized targets in the assessment zones 
and verify that they can be classified. For 
example, at Sandia we use a set of targets 
shaped as a one-foot diameter circle, a 
one-foot square, and a one-foot-high tri- 
angle. The targets are painted black on 
one side and white on the other. By 
placing the targets at the far field of an 
exterior perimeter assessment zone and 
having an operator view the image and 
recognize (classify) each of the distinct 
shapes, we can rapidly determine if the 
system resolution is adequate. The targets 
can also be moved to bright and dark 
lighting areas to verify that the images are 
still identifiable using the appropriately 
colored side of the target — black for dark 
spots, white for bright spots. The size of 
the target can be varied depending on the 
expected threat at a facility, and resolu- 
tion charts can be used to determine 
resolution in interior or exterior assess- 
ment zones. One-foot targets simulate the 
cross-section of a crawling person; larger 
or smaller targets may be more useful at 
other facilities, based on the threat. Ad- 
ditional aids in determining resolution 
include the use of a large resolution chart 
in the assessment zone or the use of some 
test targets made by CCTV manufacturers, 
such as the Rotakin. The United Kingdom 
employs a Rotakin test target to evaluate 
performance of CCTV systems. It was 
developed in 1989 and is included in the 
CENELEC (European Standards Commit- 
tee) CCTV Application Guidelines Stan- 
dard EN 50132-7. The test target can 
be used to establish system performance 
(image quality /resolution), appropriate 
fields of view, performance of temporal 
compression based systems and cam- 
era shuttering, and recording rates. The 
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Rotakin is usually employed on a stand 
giving a total height of 1.8 m, but may also 
be leaned against a fence or building or 
laid on the ground to simulate human 
attack tactics. Due to the lack of accepted 
resolution standards or requirements for 
private security system integrators, the 
system designer or security manager 
should determine what resolution is 
needed and specify this when placing 
contracts or buying equipment. 

Camera performance can also be veri- 
fied in a laboratory using a test bench. 
This will allow measurements of resolu- 
tion, focus, and sensitivity and can be a 
more cost-effective approach to some per- 
formance testing. The initial verification 
of camera performance using a test bench 
is not sufficient to assure acceptable per- 
formance in a protection system. Some 
CCTV cameras are shipped prefocused; 
however, the environment that these 
cameras are focused in may not be the 
same as the operating environment at a 
facility. Initial testing and verification 
should be followed up with appropriate 
indoor or outdoor testing to confirm that 
cameras will perform as required. Final 
adjustments to camera focus, sensitivity, 
and field of view to account for actual 
lighting or other environmental condi- 
tions can be performed at this time. 

Exterior lighting surveys should be per- 
formed using high-quality light meters 
and a grid pattern, for example at 3-foot 
intervals, one foot above the ground. An 
initial survey should be conducted at 
lighting installation, and then conducted 
yearly thereafter. A preventive mainte- 
nance schedule for light replacement 
should be prepared. Depending on the 
size of the facility and the available 
budget, all lamps can be replaced at the 
same time or lamps can be replaced as 
they fail. In many cases, lamp replace- 
ment in exterior areas will require the use 
of a bucket truck or similar equipment. If 
the equipment is permanently available at 
the site, there will be greater latitude in 
the maintenance schedule than if the 
equipment must be rented. This equip- 



ment can also be used in the replacement 
or maintenance of exterior cameras as 
well. Over a period of time, enough data 
can be collected to establish a routine 
replacement cycle for lamps. In addition, 
consideration of lighting initiation is 
important. A variety of approaches exist, 
such as using one photosensor to activate 
all lights; one cell per light, per side, or 
per sector; or manual activation. 

Interior lighting should also be evalu- 
ated on a continuing basis but will not 
require as substantial an effort as exterior 
assessment areas. Specifications exist for 
the amount of light that should be present 
to enable various tasks, such as reading, 
inspections, or general office work (Illu- 
minating Engineering Society, 1981). In 
most indoor applications, the lighting 
provided to illuminate the work being 
performed is also adequate for CCTV 
cameras, but this should still be verified. 
Particular attention should be paid to the 
movement of furniture or other objects in 
internal assessment areas to eliminate 
shadows or blind spots. 

As mentioned earlier, the speed of the 
video subsystem should also be tested to 
be sure that alarm sensing and video 
capture happen rapidly enough to capture 
the actual intrusion event. Performance 
tests on the number of alarms that can be 
captured and reported within one second, 
camera switching times, and recording 
times can also help determine if the 
system is still performing as expected. 
In addition to performance tests on the 
video subsystem and its components, 
use of acceptance tests for any video 
subsystem provided by a vendor or sys- 
tems integrator is strongly encouraged. 
These tests should address adequacy of 
resolution under actual operating envi- 
ronments, speed of recording, number of 
alarms that can be acquired and stored for 
review in one second, and related details, 
such as light-to-dark ratio. The desired 
specifications and statement of accep- 
tance testing should be included as part 
of the terms and conditions in contracts 
with vendors. 
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With incoming inspection and equip- 
ment burn-in prior to installation, main- 
tenance problems should be minimized 
for the short term. Camera adjustment will 
probably consume most of the mainte- 
nance time. Optical focus of the camera 
lens has consistently been a major time- 
consuming factor in the original installa- 
tion. The day-to-night illumination levels 
and energy spectrum changes are respon- 
sible for most of these problems. Optical 
focus is more reliable if accomplished at 
night under the appropriate scene lighting 
from the final camera location. Cameras in 
sealed environmental housings typically 
pose a serious restriction to this proce- 
dure, and many attempts have been made 
to circumvent or substitute this procedure 
with others. Awareness of these condi- 
tions should reduce problems. 

Maintenance problems are best 
resolved by a competent on-site staff 
capable of understanding the complex- 
ities and interrelationships of all of 
the concepts used in the original system 
design as well as having a background in 
electronic systems troubleshooting. Spe- 
cific, periodic maintenance requirements 
should come from the equipment manu- 
facturer in the form of printed docu- 
mentation. Also, it is useful to have a 
specification for nuisance alarm rates, as 
this will allow some number of nuisance 
alarms to occur without penalty. The 
value of occasional nuisance alarms is 
that they maintain confidence that the 
system is working. An example of a 
nuisance alarm specification might be 
one nuisance alarm per zone per day. 
The number should be small enough 
to allow continuing operation under 
expected varying conditions, but not so 
high that a vulnerability is created. This 
can occur if the allowable number is set 
too high, or by having so many nuisance 
alarms that the guard force is tempted 
to ignore the alarm over time. Any recur- 
ring nuisance or false alarms should be 
investigated for possible system improve- 
ment. As with any security equipment 
maintenance performed by outside per- 



sonnel, all equipment should be checked 
after the maintenance activity to assure 
that systems are fully operational and 
unmodified. 

Equipment logs should be kept that 
detail replacement or repair of various 
system components and appropriate 
spares should be kept on hand. Depend- 
ing on the budget and site size, 10% 
to 20% of each component (cameras, 
monitors, lamps, VCRs, etc.) spares 
are recommended, especially for cameras. 
If cameras are replaced by newer 
models or different types, they should 
be tested for compatibility and perfor- 
mance and appropriate notes made in 
the maintenance log. There should also 
be contingency plans explaining what 
will be done if CCTV capability is lost 
for varying periods of time or at one or 
more locations. These may include 
assigning a guard to the location until 
the system is repaired or deploying 
portable systems. 

Manufacturers' equipment documenta- 
tion should be preserved at the site as well 
as at a central document storage location. 
Any equipment modifications made on- 
site should also be documented and 
stored at these two locations. A mainte- 
nance log of all camera repairs and ad- 
justments should be kept to provide a 
historical record of each piece of equip- 
ment. Maintenance trends can be estab- 
lished to identify recurring problems and 
equipment failures. This practice will 
substantially reduce repair time and iden- 
tify any equipment performing in a sub- 
standard manner. 



Summary 

This chapter describes assessment of 
alarms through the use of a video subsys- 
tem. Assessment and surveillance differ, 
with the major difference being that an 
assessment system associates immediate 
image capture with a sensor alarm to 
determine the response. Surveillance 
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systems are those that collect video infor- 
mation without associated sensors. 

In addition, the relationship between 
detection and assessment is explained 
in some detail. Because it is a basic 
security principle that detection is not 
complete without assessment, assessment 
of sensor alarms is required to complete 
the detection function. Assessment may be 
accomplished by dispatching guards to an 
alarm location or through the use of CCTV 
cameras. The preferred approach is to use 
cameras, particularly in those instances 
when an immediate response is required. 
Cameras provide a faster method of assess- 
ing alarms and thus allow a faster response 
to any malevolent attacks. 

A video alarm assessment system con- 
sists of cameras at assessment areas, 
display monitors at the local end, and 
various transmission, switching, and 
recording systems. The major components 
include: (1) camera and lens to convert an 
optical image of the physical scene into an 
electrical signal; (2) lighting system to 
illuminate the alarm location evenly with 
enough intensity for the camera and lens; 
(3) transmission system to connect the 
remote cameras to the local video moni- 
tors; (4) video switching equipment to 
connect video signals from multiple 
cameras to monitors and video recorders; 
(5) video recording system to produce a 
record of an event; (6) video monitors to 
convert an electrical signal to a visual 
scene; and (7) a video controller to inter- 
face between the alarm sensor system and 
the alarm assessment system. 

The determination and use of resolution 
is described in some detail, and the rela- 
tionship of resolution to camera placement 
is also explained. Application of resolu- 
tion is explained through the use of three 
levels — detection (presence of an object), 
classification of the object (person versus 
rabbit), and identification of the object 
(Joe, not Frank). Based on tests conducted 
at Sandia National Laboratories, a resolu- 
tion of 6 lines per foot is suggested in order 
to classify a crawling human target. The 



level of resolution required depends on the 
expected threat, their tactics, the target 
asset that is to be protected, and the way 
the video information will be used. Alarm 
assessment system performance must 
support protection system objectives. 
Where an immediate on-site response is 
needed to protect high consequence 
targets, the system resolution and timing 
must be sufficient to enable a timely 
response, while the delayed response asso- 
ciated with lower consequence loss assets 
can tolerate some reduction in system per- 
formance. An immediate on-site response 
may be necessary to protect high-conse- 
quence targets, while a delayed response 
can suffice for lower consequence targets. 
The alarm assessment subsystem must 
be designed as a component of the in- 
trusion detection system. Interactions 
between the video system, intrusion 
sensors, and display system must be 
considered. 



Security Principles 

Detection is not complete without 
assessment. 

Humans make poor detectors but are 
good at assessment. 

For an effective on-site response, the 
time between an alarm and assessment 
must be short. 

Resolution of CCTV cameras falls into 
one of three classes — recognition, classifi- 
cation, or identification. The appropriate 
category will establish the resolution 
required for the assessment system. 

Speed of the video assessment sub- 
system must allow for the capture of 
images in time to acquire the cause of 
the alarm in order to make an accurate 
assessment. 



References 

Damjanovski, V. CCTV, 3rd ed. Boston: 
Butterworth-Heinemann, 2000; 7-153. 



Alarm Assessment 



143 



Fennelly, L.J. Handbook of Loss Preven- 
tion and Crime Prevention, 3rd ed. 
Boston: Butterworth-Heinemann, 1996; 
253-267. 

Greenwoll, D.A. "An evaluation of in- 
tensified solid-state video cameras." 
SAND90-2566 1991; 1-60. 

Illuminating Engineering Society of North 
America (IES). IES Lighting Handbook, 
Reference Volume. New York: IES of 
North America, 1981; 8.2-8.55. 

Kruegle, H. CCTV Surveillance: Video 
Practices and Technology. Newton: 
Butterworth-Heinemann, 1995; 65- 
126. 

Malone, T.P. "An evaluation of fiber 
optic closed circuit television trans- 
mission systems for security applica- 
tions." SAND90-2556 UC-515 1991; 
1-24. 

Mackworth, N.H. "Researches on the mea- 
surement of human performance." In 
Sinaiko, H.W., ed., Selected Papers on 
Human Factors in the Design and Use 
of Control Systems. New York: Dover, 
1961; 174-331. 

Terry, RL. "A laboratory evaluation of 
color video monitors." SAND93-0051 
1993; 1-24. 

Terry, RL. "Initial laboratory evaluation of 
color video cameras." SAND91-2579 
1992; 1-30. 

Terry, RL. "Initial laboratory evaluation of 
color video cameras (phase two)." 
SAND91-2579/2 1993; 1-51. 

Tickner, A.H, Simmonds, D.C.V, et al. 
"Monitoring 16 television screens 
showing little movement." Ergonomics 
1972; 15(3):279-291. 

Tickner, A.H, and Poulton, E.C. "Monitor- 
ing up to 16 synthetic television 
pictures showing a great deal of move- 
ment." Ergonomics 1973; 16(4):381- 
401. 

Ware, J.R., Baker, R.A., and Sheldon, R.W. 
"Effect of increasing signal load on 
detection performance in a vigilance 



task." Perceptual and Motor Skills 
1964;18:105-106. 

Questions 



1. Discuss the following application 
considerations: 

• 100% of the detection area 
should be assessed. 

• A single camera should be used 
for one sector. 

• Coaxial video cable and power 
cables should be located 
separately. 

• A pan/tilt/zoom camera system 
should not be used when 
immediate on-site assessment is 
required. 

• The camera view should be free 
of any blockage, such as fence 
lines, to assess an exterior 
perimeter sector. 

• Cameras and lights should be left 
on, even when there is no alarm. 

2. Compare video alarm assessment 
and video surveillance. What are the 
strengths and weaknesses of these 
methods? 

3. How could the placement of video 
equipment (poles, cables, camera 
housings) disturb intrusion sensors? 

4. Why do we say detection is not com- 
plete until after the alarm has been 
assessed? 

5. How could an intruder avoid being 
assessed in a system? How could 
this be minimized, and how much 
more would it cost? 

6. How could assessment time be 
reduced? 

7. Using the formulas provided in the 
text, calculate the maximum usable 
assessment zone for a V 2 " format 
camera with 600 lines of horizontal 
resolution and a 20-foot assessment 
zone width using the specified 
lenses: 
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Lens 


6 mm 


12 mm 


25 mm 


50 mm 


Near field distance 










Far field distance 










Maximum Usable Zone 











If you knew that the sensor detection 
volume was 300 feet long, which 
lens would be best? Why? Is there a 
better standard lens size available 
that could be used? Why or why not? 



8. Using Figure 8.7, the computer 
room, propose a new design us- 
ing two cameras and two different 
sensors. 
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Atartn Assessment 



Alarm communication and display 
(AC&D) is that part of a PPS that 
transports alarm and assessment informa- 
tion to a central point and presents the 
information to a human operator. New 
developments in electronic and com- 
puter technology have changed the design 
of alarm communication and display 
systems over time. It is now possible to 
quickly collect and process a wide variety 
of information; the challenge is to effec- 
tively present this information in order to 
enable decisions about what actions are 
needed. Equipment and techniques that 
are available for reporting alarms to an 
operator are described in this chapter. 
Because many AC&D systems also inte- 
grate the functions of intrusion detection 
systems and entry control, some informa- 
tion is also provided for use when con- 
sidering these functions. 

The two critical elements of an AC&D 
system are: 

• the transportation or communication 
of data 

• the presentation or display of that 
data to a human operator in a mean- 
ingful manner 



Evolution of Alarm Reporting 
Systems 



In general, security alarm systems use 
simple contact closures, such as magneti- 
c switches mounted on doors, to detect 
an intrusion. Early systems communi- 
cated this information using annunciator 
panels, which had a set of colored lights 
for each sensor to indicate the alarm 
status in security zones. Typically, red 
lights were used to signal sensor detec- 
tion, yellow to indicate the zone was in 
access (alarms disabled), and green to 
show the secure operational state. On an 
alarm, the operator would manually cor- 
relate the alarm to a specific area, then 
switch the appropriate camera (if present) 
to a monitor, and determine the proper 
response. If no CCTV cameras were avail- 
able, a guard was dispatched to the area 
to investigate the cause of the alarm. This 
system, though time-consuming, did have 
some advantages: the simple electrical 
components were well understood; there 
was a direct correlation between the lights 
and a specific sensor; and the system was 
easy to maintain. 



145 



146 



Design Physical Protection System 



Annunciator panels also have several 
limitations. Cost can be very high because 
separate circuitry is used for each zone; a 
large amount of physical space may be 
needed for a panel that monitors a large 
number of zones; and the indicator lights 
can display only a limited amount of 
information. 

As more sophisticated technology 
became affordable, alarm communication 
systems were developed to transmit 
multiple alarm signals simultaneously, 
incorporate computer control, and add 
video capability through CCTV integra- 
tion. Each of these subsystems offered 
improvements, but when installed as 
independent units created a system that 
was difficult to operate and learn to use. 
They also put a heavy load on human 
operators in crisis situations. Modern 
systems integrate technology components 
into a coordinated and effective system. 
When combined with appropriate proce- 
dures, and trained people, these systems 
represent the best method to collect, 
assess, and respond to security events at 
a facility. 

AC&D Attributes 

The most useful AC&D systems have 
certain characteristics. Systems must be 
designed to withstand the environments 
in which they are placed. If a component 
will experience wide temperature varia- 
tions, such as in an exterior environment, 
the equipment must be designed to with- 
stand those variations without failing. 
Robustness is a measure of system perfor- 
mance in all probable environments. 

AC&D components and systems should 
be designed to last a long time. The indi- 
vidual components should be reliable and 
have a long mean time between failure 
(MTBF). A reliable system requires less 
maintenance and is more trusted by oper- 
ators. Other aspects of reliability include 
reliable communication and display of 
alarm data, and no loss of information. No 



communications system has 100% guar- 
anteed information delivery; however, 
modern communications equipment can 
approach that goal by implementing tech- 
niques for checking and verifying data. 

Electronic components will eventually 
fail. Good AC&D systems take this chance 
of failure into account and provide re- 
dundant or backup capability for critical 
components. By maximizing the robust- 
ness, reliability, and redundancy of AC&D 
systems, the time an AC&D is inoperable 
or down for repair can be minimized. 

Alarm information must be available to 
security personnel in a timely manner. 
The AC&D system speed should be a 
small fraction of the overall alarm assess- 
ment and response force time. These 
times will vary from site to site, but AC&D 
speed should be a negligible factor in cal- 
culating response or assessment times. 

The AC&D system is a major component 
in the overall PPS. Because the PPS pro- 
tects the site's critical assets, it follows 
that the AC&D system must be secure 
from attacks by adversaries. For example, 
procedures should limit who has access to 
AC&D displays and the system configura- 
tion, and only authorized persons should 
have access to AC&D information, com- 
ponents, and wiring. As part of this 
protection, the alarm communication 
subsystem should also be secured from 
access by attackers. 

AC&D systems must be easy for an oper- 
ator to use. While a multitude of sensors 
can provide considerable data, this data 
must be displayed in a fashion that 
presents the essential information to the 
operator. In addition, the user must not be 
overwhelmed with data, interaction with 
the system must be efficient, and users 
must be able to perform necessary opera- 
tions quickly and easily. A system that 
is easy to use also reduces the amount of 
training and retraining needed. 

Each of these general characteristics 
plays a part in the overall effectiveness 
of an AC&D system, but the single most 
important measure of AC&D effectiveness 
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is how well it quickly and clearly com- 
municates alarm data from sensors to 
the system operator. When an alarm event 
occurs, the AC&D system must com- 
municate to the operator the following 
information: 

• where an alarm has occurred 

• what or who caused the alarm 

• when the alarm happened 

The operator should also know how 
to respond. This can be accomplished 
through training and AC&D system 
prompts. Moreover, all AC&D activity 
must occur in a timely fashion, so 
AC&D system speed is a measure of 
its effectiveness. 

The difficulty with this effectiveness 
measure is its relationship to the response 
time of a human operator. Measuring 
operator response is a very difficult pro- 
cess. Electronic communications systems, 
on the other hand, are quantifiable. This 
dual character of AC&D systems makes 
measuring system effectiveness more 
complex. Communications systems can 
be understood, network topologies 
modeled, and system times measured. 
When people are involved, however, 
softer sciences such as ergonomics, 
human factors engineering, and physiol- 
ogy studies are also needed. 

The AC&D system is divided into 
several subsystems: communications, line 
supervision and security, information 
handling, control and display, assess- 
ment, and off-line subsystems. These are 
discussed in detail below. 

Alarm Communication Subsystem 

The communications subsystem trans- 
fers data from one physical location to 
another. Specifically, an AC&D com- 
munications subsystem moves data from 
the collection point (sensors) to a central 
repository (display). If the central reposi- 
tory consists of multiple computers or dis- 



plays, then the communication subsystem 
may also move data throughout the 
repository. 

The basic concepts of AC&D com- 
munications incorporate a design model, 
detailed system functions and how they 
relate to the other AC&D requirements, 
size of the system and the topologies used, 
and the combination (in hierarchies) of 
simple system configurations. Alarm com- 
munication systems have several charac- 
teristics that drive the design. These 
characteristics include the quantity of 
alarm data, high reliability needed for the 
system, and speed at which data must 
be delivered. The following discussion 
details each of these system characteris- 
tics and describes the role of these char- 
acteristics in system design. 

If a sensor activates, the alarm commu- 
nications system must assure that accu- 
rate data pertaining to this activation 
is received by the AC&D computers. 
Assured message delivery means the 
communication system must be reliable. 
In addition, alarm data must be transmit- 
ted in a timely manner. Both human- 
factor considerations and interactions 
between the AC&D and assessment sys- 
tems drive alarm-reporting speeds. 

Human factors require alarms to be 
reported with no perceptible delay. For an 
operator, no perceptible delay is a few 
tenths of a second. Interactions between 
the AC&D and the assessment system 
require reporting times to be a small 
fraction of the total assessment time. 
Although total assessment times can vary 
widely, AC&D and assessment system 
interaction should only take milliseconds. 
Such reporting speeds require fast alarm 
communications since communications 
times are only a part of the total alarm 
reporting time. 

Other factors are also important when 
designing an effective alarm communica- 
tion system. Physical media must have 
sufficient bandwidth to handle the com- 
munications for the system when operat- 
ing at full capacity. Protocols, or the 
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special set of rules for communicating 
used by the end points in a telecommuni- 
cation connection when they send signals 
back and forth, are important components 
of system design. System speed dictates 
the types of protocols used in the system, 
and protocol overhead must be appropri- 
ate for the types of data being transmit- 
ted. In addition, channel bandwidth and 
protocol overhead must be balanced to 
provide the required system speed. 

The best possible communications 
system would provide instant communi- 
cations with 100% reliability. In reality, 
it is not possible to meet this standard. 
Moreover, high-speed, high-reliability 
systems are expensive. A good communi- 
cation subsystem design balances the 
cost of the system with its performance. 
Depending on the design, a range of pro- 
tocols can be used to balance speed, reli- 
ability, and cost. 

To ensure that messages reach the 
operators in the highest security or most 
complex systems, redundant hardware 
is required to handle cases of hardware 
failure, and the system must be able to 
automatically route messages through the 
redundant hardware as required. In addi- 
tion, the protocols used should detect and 
correct message errors and duplicate mes- 
sages. The Open Source Interconnection 
(OSI) model using recommendation X.200 
of the International Telecommunications 
Union (ITU, 2000) describes one way to 
think about communications systems by 



dividing system functionality into seven 
groups known as layers. From lowest to 
highest, these layers are physical, link, 
network, transport, session, presentation, 
and application. For AC&D systems, inter- 
est focuses on those OSI layers that 
provide robustness, redundancy, and 
speed. The layers of interest are those 
at the lowest level — the physical, link, 
and network layers. These layers are des- 
cribed in Table 9.1. 



Physical Layer 

The physical layer describes the electrical 
and mechanical aspects of a communica- 
tions channel. The physical layer also 
describes the functional and procedural 
methods used by a channel. The physical 
layer includes the type of communication 
media, such as wire or fiber cables, 
network architectures, such as loops, 
stars, or buses, and low-level pro- 
tocols such as EIA-422 (Electronic Indus- 
tries Association) or direct current line 
supervision. 

Communication media types relate to 
the physical characteristics of materials 
used to build a link. Common media types 
used to move data from one physical spot 
to another are twisted-pair copper wire, 
broadband copper wire, fiber-optic cable, 
and RF communications links. 

Twisted-pair copper cable is the most 
common media type in use today. This 



Table 9.1 OSI Model Layers as Applied to AC&D Systems. 



Physical Layer The physical layer provides mechanical, electrical, functional, and procedural 
methods used to transmit information from one place to another. It deals with 
the media (wire, fiber, etc.) and functional topology (star, bus, point-to-point) 
characteristics of a communications channel. 

Link Layer The data link layer provides protocol delimiters and framing information. This 

layer also performs basic error-checking. 

Network Layer The network layer provides addressing, sequencing, flow-control, 

receipt/acknowledgment, and error-handling services. The network layer takes 
higher-level data and packages it for transmission. 
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cable supports many different electrical 
protocols and is easy to install and main- 
tain. Its long history of use in telephone 
circuits makes twisted pair almost ubiq- 
uitous. Twisted-pair cables provide two 
wires (a pair) for a communications link. 
Twisted pair's weakness is its suscep- 
tibility to electromagnetic interference. 
Lightning, power surges, and common 
mode signals are all easily coupled into a 
twisted-pair link. Twisted pair also has 
distance and bandwidth limitations. High 
bandwidth signals can be transmitted reli- 
ably over only relatively short distances. 
Therefore, twisted-pair cables are best 
used for paths of less than 0.6 miles in 
length. 

Broadband cables are similar to twisted 
pair. Both cable types use copper wire, 
and the cable provides two conductors to 
implement the communications link. The 
difference is in the physical layout of the 
cables. Broadband cables take advantage 
of the special electrical characteristics 
of various wire configurations to improve 
the cable parameters, thereby increasing 
distance. Some twisted-pair cable can be 
broadband if the number of twists in the 
wire is constant over the entire length of 
the cable. 

The most common broadband cables 
are coaxial cables. Coaxial cables are 
typically used to transmit video or high- 
speed network data. As with twisted pair 
cable, coaxial cable is susceptible to elec- 
tromagnetic interference sources such 
as power surges and lightning and can 
support many different types of electrical 
protocols. Coaxial cable, because of its 
special physical configuration, is more 
expensive than twisted-pair cable. Broad- 
band cables are best used for paths of 
fewer than 1.2 miles in length. 

Fiber-optic cables use glass or plastic 
fibers to transmit data using light. Fiber 
cables are a very high-bandwidth media. 
Properly installed, fiber is robust and reli- 
able. Other advantages of fiber include its 
immunity to electromagnetic interference 
of all types and its long transmission dis- 



tance characteristics. Multimode fiber 
can operate over distances of 1.2 miles or 
more. Special single-mode fibers can 
extend that distance as much as 12 miles. 

Fiber is more expensive and more diffi- 
cult to connect than copper wire cables. 
Special tools and training are required 
to properly connect fiber systems. Be- 
cause fiber cable does not use electricity, 
it is not well suited for slow or low band- 
width signals. In addition, fiber is ex- 
cellent for transmitting fast digital data, 
but it is not well suited for analog signals. 

RF (radio frequency) links use radio 
transmitters and receivers to send data. 
The media is actually the electromagnetic 
signal that passes between a transmitter 
and receiver. RF links are not typically 
used in AC&D communications because 
of their poor security characteristics. 

Network Architecture 

Network architectures describe how com- 
ponents of a system are interconnected. 
The most cost-effective method of con- 
nection for a given installation often 
depends on the layout of the sensors. 
These connections, or wiring configura- 
tions, can be point-to-point, star, loop, 
bus, rings, or a combination of these 
configurations. 

The simplest wiring configuration is 
point-to-point — devices are connected 
directly to one another. An example of 
this connection type is shown in Figure 

9.1. Point-to-point connections are used 
as the basis for other architectures. The 
simplicity of a point-to-point connection 
makes it easy to use. 

The star architecture, shown in Figure 

9.2, uses a collection of point-to-point 
connections to wire multiple devices back 
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Connections 



Wiring 



150 



Design Physical Protection System 




Figure 9.2 Star Wiring Architecture 



to a single central point. Star networks are 
commonly used to bring sensor data back 
to a field panel. Star networks are easy 
to understand and use, but they are not 
redundant. This approach can be cost- 
effective for layouts in which the alarm 
display system is centrally located among 
a group of sensors. 

The star method of transmission is 
characterized by the use of a separate wire 
pair between each sensor and the alarm 
display system. Each wire pair is inde- 
pendent, and there are many physical 
routes into the alarm display system. This 
can be an advantage because then a single- 
point failure only disables part of the 
system. The disadvantages are that there 
may be excessive cabling and that expan- 
sion sometimes requires putting multiple 
sensors on one input line because there is 
no room left for adding more cables. 

Loops use point-to-point connections to 
chain devices together. Figure 9.3 shows 
a typical loop configuration. Loops start 
and end at the same physical location. 
Loops are more efficient users of media 
than star networks. Loops can also have 
redundancy if each point-to-point con- 
nection is bi-directional. Special physical 
layer functions must handle the forward- 
ing of message traffic around the loop. 

Devices in a bus network share the same 
common media. Like loops, bus architec- 
tures are efficient users of media. Because 
devices share the media, the protocol 
must arbitrate which device is actively 
communicating at a given time. However, 




Figure 9.3 Loop Wiring Configuration 
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Figure 9.4 Bus Wiring Configuration 




Figure 9.5 Ring Wiring Configuration 



the bus network is not as reliable as 
other networks. A single device failure 
can cause all communications to cease. 
Also, bus networks are not implicitly 
redundant. A bus network connection is 
shown in Figure 9.4. 

A ring is a special case of the bus 
network topology, as shown in Figure 9.5. 
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Rings, like buses, share the same physical 
media. Rings, however, connect devices 
together in a circle rather than a line. A 
ring is a special bus with redundant fea- 
tures. Rings also share the reliability fea- 
tures of bus networks. Ring networks 
are not as reliable as loop or star con- 
figurations because, like rings, a single 
device failure can cause communications 
to cease. 

The basic network building blocks can 
be combined to form more complex 
networks. Hierarchical networks combine 
one or more basic networks in a nested 
fashion. One common AC&D hierarchy 
combines star networks with bus or loop 
networks to connect sensors to the AC&D 
system computer. Hierarchies can be used 
to provide redundancy to networks that 
do not implicitly have redundancy. 

Hierarchical networks add complex- 
ity to an AC&D communications system. 
While hierarchical networks can be effi- 
cient, they are difficult to use, and in some 
cases can slow system performance. Per- 
formance degradation is most apparent 
when the communications system uses 
too many levels of nested networks. 

Security Considerations 

An alarm reporting system is of little 
value if the communication link from the 
sensor to the control center fails to report 
alarms due to accidental or intentional 
damage. Physical protection techniques, 
such as metal conduit, can be employed 
to prevent or delay physical access to the 
line. A communications line protected by 
metal conduit is most secure if the joints 
are securely welded. For long distances, 
burial of the communication line is costly 
but will delay an attacker. Extra wires or 
fibers should be included in the cable 
when burying it to allow for either future 
expansion or individual line failure. It 
is recommended that either the cable in 
conduit be encased in concrete or the 
cable path be covered with concrete or 
asphalt and that manhole protection be 
provided. If the entire area surrounding 



the cable path is paved, then digging will 
be discouraged, and the exact location of 
the cable will be more difficult to detect 
by an adversary. The recommended place- 
ment for communications lines is to run 
them inside a secured area. This limits 
access to those persons with authorized 
access to the area. 

Low-Level Protocols 

Direct current (DC) protocols use a steady 
direct current to detect changes in line 
resistance. DC protocols are low speed 
and are distance limited. The available 
bandwidth for a DC signal is low, so only 
a very limited amount of data can be 
passed. This protocol is commonly used 
to transmit sensor switch status. 

The many alternating current (AC) pro- 
tocols use a time-varying signal to trans- 
mit information. AC protocols are most 
commonly used over twisted-pair phone 
lines. In such an application, data are 
transmitted using tones or other modula- 
tion methods (modulation is provided by 
a modem). Data can be sent long distances 
over copper cables using AC protocols. 

Digital signals can be considered a 
type of AC signal because they use time- 
varying signals to transmit data. Digital 
signals, however, transmit data in a binary 
fashion. Digital data are either ON or 
OFF. Modulation methods may be used to 
send this binary data. Digital signaling 
protocols are usually paired with network 
layer functions to improve the reliability 
of message transmission. 

The Electronic Industries Association 
(EIA) has developed several standard 
electrical protocols for sending asynchro- 
nous digital data, including EIA-232, EIA- 
422, and EIA-485. These three standards 
are commonly used to transmit medium- 
speed data between computers. Serial 
protocols using EIA electrical standards 
must be used in conjunction with good 
link and network layer functions. The EIA 
standards detail electrical and mechanical 
issues but do not specify link and network 
layer functionality. Without good link and 
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network layers, serial protocols are not 
reliable. 

There are also several high-speed 
network protocols commonly used in 
AC&D communications, including Ether- 
net, token ring, and fiber distributed data 
interface (FDDI) protocols. These proto- 
cols are considered high-level protocols 
and provide a rich set of communications 
services. Network protocols are reliable 
and can be redundant. Unfortunately, 
network protocols are not always the best 
choice because they are expensive. More- 
over, providing a rich set of services adds 
overhead that can affect speed. 

Link Layer 

The link layer handles packaging data for 
transmission and may add delimiters and 
framing information to allow the data to 
be sent. Outgoing data is formatted for 
transmission, and incoming data is 
unpacked or deformatted. The unpacking 
allows the link layer to perform error- 
checks. 

Error-checking is an important feature 
of the link layer. Communication sys- 
tems cannot be perfect transmitters of 
information because errors sometimes 
occur. Error detection allows the link 
layer to notify higher layers when things 
go wrong. The ability of a link layer to 
perform error-checking depends on the 
protocol used. Simple protocols, such as 
DC analog signals, may provide a simple 
good/bad status, while network protocols 
perform error checks on each packet of 
transmitted information. Network proto- 
cols allow for higher levels to request 
retransmission of problem packets. Thus, 
network protocols can be more reliable 
than simple DC signals. 

Network Layer 

The network layer provides the overall 
redundancy and reliability of a communi- 
cations system. Network layers handle 



flow control, receipt/acknowledgment, 
and routing. While the lower layers of 
the OSI model do not guarantee message 
delivery (i.e., reliability), the network 
layer provides this capability. 

More reliable network layers make 
good use of flow control. Flow control 
determines which device is communicat- 
ing and when. Also, flow control keeps 
track of messages and determines if 
duplicate messages have been sent. The 
higher-level protocols provide detailed 
flow-control features. Lack of flow control 
can cause loss of messages or receipt 
of duplicate messages at the receiving 
devices. 

These functions provide message 
acknowledgment services to sending de- 
vices. In reliable communications sys- 
tems, receipt/acknowledgment guarantees 
a sender that a message has been de- 
livered one time. Combining receipt/ 
acknowledgment and flow control pro- 
vides the system with the ability to re- 
send missed messages, thus increasing 
system reliability. 

Redundant systems must provide mul- 
tiple communications paths, and routing 
is a function of the network layer that 
selects a particular path. When failures 
occur, routing allows a communications 
system to pick alternate paths. The 
routing function is most common in 
higher-level protocols. 

Line Supervision and Security 

Good communications systems use pro- 
tocols that allow for error detection. In 
AC&D systems, errors induced by adver- 
saries or attempts to spoof or disrupt 
communications are important to dis- 
cover. Techniques used to detect these 
induced errors or disruptions are called 
line supervision, which provides commu- 
nications system security. Line supervi- 
sion is the process of monitoring the 
communication link to assure that it is 
operating correctly and that data has not 
been altered during transmission. Com- 
munication links can be divided into two 



Alarm Communication and Display 



153 



categories — passive and active. A signal is 
sent over a passive link only when an 
alarm occurs. A break in the link will 
prevent alarms from being reported, and 
the break will not be discovered unless a 
test of the system is performed. In con- 
trast, a continuous signal is transmitted 
over an active link, allowing immediate 
detection of breaks in the link. 

Vulnerabilities exist for all physical 
media. Landlines are vulnerable to envi- 
ronmental disturbances and attack; radio 
links are vulnerable to jamming or attack 
at the transmitter and receiver. Radio 
transmissions are also more susceptible 
to electrical interference and weather- 
related phenomena than are landlines, 
which typically have been buried or 
enclosed in a grounded metal conduit. In 
addition, radio transmission can be inter- 
cepted by anyone at even great distances, 
but landlines require that a potential 
attacker gain physical access to the line in 
order to determine what information is 
being transmitted. These vulnerabilities 
necessitate the use of line supervision, in 
addition to physical protection measures, 
to provide secure communications. 

Types of Supervision Supervisory sys- 
tems monitor the communication link to 
ensure that it is operating correctly 
and that data has not been altered during 
transmission. Supervisory systems can 
either be static or dynamic. Static systems 
always represent the secure condition by 
the same signal. Because the signal can 
be easily discovered and characterized 
by an adversary, substituting a counterfeit 
signal can easily defeat the static system. 
Dynamic systems, on the other hand, gen- 
erate a continually changing signal to rep- 
resent the secure condition. Such systems 
are more difficult to defeat. Most modern 
dynamic systems use encryption tech- 
niques to provide supervision. 

A fiber-optics communication system 
is more self-protecting than equivalent 
copper-wire systems. LEDs or lasers trans- 
mit the signal over glass fibers. Tampering 



with such glass fibers is difficult to accom- 
plish and easy to detect. In addition, the 
principles of fiber operation make the 
substitution of counterfeit data difficult. 
For these reasons, fiber optics are more 
secure. 

The goal of a static supervisory system 
is either to detect access to the protected 
line or to prevent successful substitution 
of a counterfeit signal. Systems may use 
DC or AC supervision. Each system can be 
described by its sensitivity, which is the 
amount that the current can vary from 
the nominal value before an alarm is pro- 
duced. Typical systems have sensitivity 
ranges of 2% to 30%. 

DC supervision employs resistors at the 
end of the line to maintain a constant 
current in the line. A specific current 
outside the normal range indicates an 
alarm condition, such as a sensor alarm or 
a tamper alarm. A highly sensitive system 
is only slightly more difficult to defeat 
than a much less sensitive system and 
is considerably more prone to nuisance 
alarms. The extra expense for high sensi- 
tivity is unwarranted. DC supervision is 
relatively inexpensive and provides ade- 
quate protection against casual threats 
such as vandalism and accidental cutting 
of the cable. 

AC supervision monitors the amplitude 
and the phase of the imposed AC signal 
for alarm conditions. Greater electronic 
expertise is required to defeat this scheme, 
but only slightly more effort is necessary. 
Little can be done to counter an attack by 
a knowledgeable adversary. As with the 
DC system, high sensitivity does not sig- 
nificantly improve the security of AC 
supervision. The greater expense and only 
slight increase in security that AC super- 
vision provides make DC supervision a 
more attractive choice for AC&D systems. 

Dynamic supervision alters the secure 
signal over time. An adversary has great 
difficulty in first determining the nature of 
the secure signal and then substituting 
a counterfeit signal. The ideal dynamic 
supervisory technique uses a random 
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number sequence or key to encode each 
data message. The major problem associ- 
ated with such an encoding scheme 
is storing the key information. Security 
is reduced when the number of keys is 
reduced. 

Theoretically, dynamic supervision 
techniques are vulnerable to a sophisti- 
cated attack. An attacker may be able to 
record the output from a transmitter 
and play it back to the central site at a 
slightly slower rate. The reduced data rate 
may not be detected. Eventually, enough 
secure signal data may be accumulated to 
cover the time required for an intrusion. 
To combat this, a dynamic system must 
employ unique messages and two-way 
transmissions to detect the attack. 

Encryption Systems Modern block en- 
cryption systems can be used to reduce 
the number of random encryption keys 
required for line supervision. With such 
systems, protection of the key information 
must be maintained, and key information 
must not be transmitted over the commu- 
nications channel. To do so would allow 
an adversary to use recorded data and 
brute force techniques to ultimately de- 
feat the system. The security of encryp- 
tion systems, therefore, depends on key 
management. 

Encryption systems work best on block, 
or contiguous, data. However, the simple 
binary data provided by sensors is not in 
block form. Additionally, many encryp- 
tion schemes require that the block data 
be unique for every transmission. Unique- 
ness can easily be provided using 
message-counting techniques, but add- 
ing a unique number to each sensor 
message increases the message size and 
requires communications links with 
greater bandwidth. 

Encryption keys cannot be automati- 
cally distributed. Most encryption systems 
provide mechanisms to manually key 
the equipment. This requires an autho- 
rized person to key each encryption 



station in the AC&D system. In addi- 
tion, some systems require new keys to be 
inserted in a specific order. Another issue 
is that while keying is in process, parts of 
the system are off-line. 

Although encryption provides good 
line supervision and security, the expense 
of manual key management and the need 
for greater link bandwidths has prohib- 
ited its use for sensor line supervision. 
Encryption is best used for links between 
data-gathering equipment and the central 
computers, or between computers in the 
AC&D system. However, encryption is 
necessary for communication lines 
outside the secured area. 

If the transmitter and the receiver do 
not use exactly the same random number 
key for a transmission, then the decoded 
data is incorrect, and the system must 
reset. Often, the same sequence of random 
keys is used every time a reset occurs. It 
is possible for an attacker to record no- 
alarm data after one reset and use this to 
cover an intrusion. 

Data transmission errors can cause the 
data to be rejected. An error may result 
in rejection of a block of data, or in some 
systems, all subsequent data. One solu- 
tion is to implement error-detection or 
-correction techniques before verification 
or decoding. Another solution is to ignore 
a single block of erroneous data and then 
require that several contiguous transmis- 
sions be erroneous before an alarm is 
reported. However, requests for retrans- 
mission and indications of acceptance 
or rejection of data are not secure prac- 
tices. An attacker could substitute data 
infrequently enough to be ignored by 
the system, yet get immediate feedback 
as to whether the false data has been 
accepted. 

These examples show that use of 
encryption alone is not sufficient to 
protect AC&D communications. By de- 
feating the protocols used to send data, 
there are many possible ways to defeat 
encryption systems. AC&D system users 
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and designers should be cautious when 
evaluating or using encryption systems to 
ensure that such protocol attacks are not 
possible. 

Physical protection and line supervi- 
sion are primarily intended to protect the 
communication link between the link's 
endpoints. The link may still be vulnera- 
ble at the interface with the sensor, at 
various junction boxes along its route, 
and at the entry to the central console. 
At these points, additional security can 
be achieved by employing enclosures 
equipped to indicate intrusion or tamper- 
ing. This tamper indicator should be 
treated as a sensor and be provided with 
a separate reporting circuit rather than as 
a series or parallel part of another sensor 
circuit. If this is not done, the system 
cannot differentiate between a tamper 
alarm and a line open or a line short. 

Information Handling 

An AC&D communications system moves 
alarm data from sensors to a central 
location. This central location is usually 
a single computer or is sometimes a col- 
lection of computers. The central com- 
puter processes the alarm data into use- 
ful information. These processing func- 
tions make up the information-handling 
subsystem. 

The information-handling subsystem 
provides functions to model the real-time 
state of the sensor. Alarm-handling func- 
tions, such as assessment or access status, 
are also performed. Alarm data is orga- 
nized and categorized by geographic 
location, priority, or other common 
characteristics. The information-handling 
subsystem may then use expert systems 
or alarm analysis techniques to prioritize 
information for display. This subsystem 
can then trigger control actions such as 
video switching messages. 

System states store information on the 
operational status of system components, 
keep track of which components or con- 
soles are in control, and store information 



on operator status. In other words, it 
stores all relevant system information. 
The sensor state stores information 
about sensors. Some of this information 
includes: 

• sensor name (a descriptive name for 
the sensor) 

• sensor location (the geographic loca- 
tion of the sensor) 

• sensor type (a description of the 
sensor type) 

• sensor history (summaries of the 
sensor activation history) 

• maintenance data (information on 
the maintenance history of the 
sensor) 

• other data (as needed for alarm 
analysis) 

• alarm status of sensor 

The most important data stored in the 
sensor state of the system software model, 
however, is the current alarm status of the 
sensor. This data includes both the acti- 
vation and access (i.e., disabled) status 
of the sensor. The sensor model reflects 
the real-time status of every sensor 
attached to the AC&D system. It is critical 
that the information-handling system 
models all sensors completely and that 
the model accurately reflects actual con- 
ditions around the site. 

Sensor Data Issues The raw data that 
drives the information-handling system 
is the sensor alarm data. Each sensor pro- 
vides information on its status (secure, in 
alarm, in access, in tamper, or failed) so 
that individual alarm points are modeled 
in the sensor model. The information- 
handling system then combines and cate- 
gorizes this information. 

Most sensors are combined into groups. 
Therefore, individual sensor information 
is best utilized when it is combined with 
information from other sensors. In many 
ways, a group of sensors can be thought of 
as a super-sensor that is an aggregate of all 
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its component sensors. Sensors are 
usually grouped geographically. Sensors 
closely related in space are usually 
handled as a single entity. For example, 
it makes sense to group sensors that are 
in the same room or to group complemen- 
tary sensors protecting a single perimeter 
sector. Geographic sensor groupings are 
also easier to display to operators. Even 
when sensors are grouped, the system 
must provide the capability to present a 
status of individual sensors. 

Prioritization is a method used to assign 
relative importance values to various 
sensors or groups. Generally, sensors 
closest to the asset are given a higher pri- 
ority than those farther away. This is an 
example of a simple static prioritization 
scheme. 

Besides prioritizing by proximity to the 
assets, priorities can also be set dynami- 
cally. Dynamic priorities are usually set 
on groups of sensors. For example, if more 
than one constituent sensor in a group is 
active, that group may be assigned a 
higher priority than other sensors or 
groups. Sensor or group priorities are 
used to direct the system and operators 
to those events that are most important. 
There are many different prioritization 
schemes that can be employed. The goal 
is to use a system with a scheme that pro- 
vides the operator with the best informa- 
tion to assess the situation. 

Alarm information is commonly dis- 
played based on priority and time of 
arrival. Those events with the highest pri- 
ority and occurring most recently are 
displayed first. It is also possible to group 
and prioritize sensor information based 
on likely activation sequences. 

Given the location of sensors and the 
likely path taken by an adversary, it is 
possible to construct timing sequences of 
likely attack paths. If sensors placed in 
those paths activate at times predicted by 
the timing sequence, then the probability 
of intrusion is greater. The information- 
handling system can perform such analy- 
sis on alarm data. Those sensor activations 



that match the sequence analysis may be 
displayed with higher priority. 

Alarm handling is the sequence of 
operations that the information-handling 
system performs to process sensor al- 
arm data. There are several operations 
involved including acknowledgment, 
assessment, and access. 

Acknowledgment is a user action. The 
user may acknowledge alarms explicitly 
through some action, or the acknowledg- 
ment may take place in conjunction with 
some other operator action. An acknowl- 
edgment tells the alarm-handling system 
that the operator has seen the alarm. 
Unacknowledged alarm points usually 
flash and cause an audible signal to the 
user. Acknowledged alarms can cause 
the information-handling system to bring 
up real-time video or other assessment 
actions. The information-handling system 
then keeps track of the acknowledged 
state of sensors. 

Assessment, which is the process of 
determining the cause of an alarm, is 
another operator function. When opera- 
tors request assessment video, the infor- 
mation-handling system controls video 
switching equipment and video storage 
equipment and then cues the appropriate 
video for the specified sensor or group. 
The information-handling system may 
then enter data concerning the assessment 
into the system log files. 

Access is an optional operator func- 
tion. An accessed sensor is one for which 
the system will ignore intrusion alarms; 
however, tamper alarms will be reported 
and displayed to the operator. Sensors 
will often be placed in access during 
daytime operations at a facility or to 
allow maintenance activities in an area. 
The alarm status of accessed sensors is 
not displayed to the operator unless it is 
a tamper alarm. While the information- 
handling system may continue to track 
sensor status, that status is not reported. 
Requested accesses are controlled by 
the information-handling system. Some 
systems require two or more operators to 
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concur with access requests. The infor- 
mation-handling system enforces this 
two-or-more person concurrence. 

Intelligent Alarm Analysis Intelligent 
alarm analysis is a new area of research 
focused on applying alarm processing and 
sensor fusion techniques to provide infor- 
mation that is more useful to the central 
alarm station operator. The goal is to cor- 
relate and integrate a variety of inputs to 
modify the confidence in an event. Inputs 
include sensor information and features 
from several sensors, environmental data, 
knowledge of sensor performance under 
certain conditions (e.g., weather and 
visibility conditions), sensor priority, and 
recent operator feedback. 

Intelligent alarm analysis also incorpo- 
rates trend analysis using historical 
knowledge of nuisance-alarm data to 
identify installation, setup, or mainte- 
nance problems. Future research includes 
integrating site data, such as sensor con- 
figurations and target locations, to predict 
intruder movements and intentions and 
then aid in dispatching a response force. 
Intelligent alarm analysis is a high-order 
process that takes a global look at the 
intrusion detection system to enhance the 
information passed to the operator. 

Alarm Control and Display 

The control and display subsystem of the 
AC&D system presents information to a 
security operator and enables the operator 
to enter commands affecting the operation 
of the AC&D system. The ultimate goal 
of the subsystem is to promote the rapid 
evaluation of alarms. The alarm display 
equipment (operator's console) receives 
information from the sensors. There are 
several concerns that must be addressed 
in the design of the operator's console, 
including the following: 

• what information is presented to the 
operator 



• how the information is presented 

• how the operator communicates 
with the system 

• the arrangement of the equipment at 
the operator's workstation 

An effective control and display sub- 
system presents information to an oper- 
ator rapidly and in a straightforward 
manner. The subsystem also responds 
quickly to operator command. However, 
the display subsystem should not over- 
whelm operators with detail — displays 
should show only necessary information, 
and control functions should be limited to 
those that make sense in the context of the 
current display. 

Examples of information that can be 
presented to aid in zone security include 
the following: 

• the access/secure/alarm/tamper 
status of the zone 

• the geographical location of the zone 

• the time of the alarm 

• information about any special 
hazards or material associated 
with a zone 

• instructions for special actions 

• telephone numbers of persons to call 

• maps of the secure area 

Related considerations include ways of 
alerting the operator to the fact that action 
is required. A major system design task is 
to specify the various details of the oper- 
ator interface. For example, the type of 
display equipment, the format, and other 
visual features of the information that is 
to be displayed, and the design of the 
input equipment must be determined. 
The human factor considerations of 
various hardware components and soft- 
ware techniques are discussed in the fol- 
lowing sections. 

Ergonomics — Human Factors 

The control and display subsystem must 
be designed with the human operator in 
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mind. Meeting standard personnel occu- 
pancy conditions relative to temperature, 
humidity, noise, and general comfort 
factors provides an environment that 
enhances an operator's effectiveness 
and reduces frustration and fatigue. For 
example, adjustable lighting allows illu- 
mination levels to be chosen as desired for 
enhancement of the viewing contrast on 
cathode ray tube (CRT) displays. Addi- 
tionally, the console design should facili- 
tate the exchange of information between 
the system and the operator, such as 
alarm reports, status indications, and 
commands. 

A good human interface improves the 
mechanics of issuing commands and of 
deciphering the information presented. 
Thus, the amount of data displayed 
should be limited to only the data 
required by the operator. Also, data 
should be presented in a manner that 
makes its interrelations obvious. On the 
other hand, the techniques for transferring 
information from human to machine 
should limit the opportunity to make 
errors without compromising system 
efficiency. 

As a result of these requirements, the 
work area design must consider the fol- 
lowing factors: 



normal working position. Indications and 
operator inputs should be prioritized and 
the most important ones placed in the 
primary interface area, as illustrated in 
Figure 9.6. Displays in this primary inter- 
face area do not require extreme eye or 
head movement from the operator's line- 
of-sight. Placing the principal items to be 
viewed within a 30-degree viewing cone 
will avoid such extreme movement. 

Frequently used operational displays 
should be located in the secondary area. 
Eye movement, but not head movement, 
from the normal line-of-sight may be 
required. Infrequently used support dis- 
plays, such as backup systems and power 
indicators, may be placed beyond the sec- 
ondary area. 

Because the operator's attention is 
not always directed to the display panel, 
audible signals are effective for alerting 
the operator to a significant change of 
status. Audible alarm characteristics, 
such as pitch and volume, can be used to 
separate classes of alarms (e.g., security, 
safety, or maintenance). Computerized 
voice output may also allow the operator 
to keep his or her eyes on the area under 
observation. Care should be taken when 
using audible signals to keep the types 



• what the operator must be able 
to see — people, equipment, displays, 
and controls 

• what the operator must be able 
to hear— other operators, communi- 
cations equipment, and warning 
indicators. 

• what the operator must be able 
to reach and manipulate — hand or 
foot controls and communications 
equipment. 

Points to Consider 

The space around the operator consists of 
zones of varying accessibility and visibil- 
ity. All displays should be approximately 
perpendicular to the operator's line-of- 
sight and should be easily visible from the 
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Figure 9.6 Placement of Operator Con- 
trols in an AC&D Console. The primary 
areas include the computer monitor and 
keyboard. The secondary area includes 
alarm assessment monitors 
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and number of signals to a very small 
number. Signals must be unique and be 
distinguishable in the rich audible en- 
vironments commonly found in AC&D 
control rooms. 

Displays are generally placed in the 
center of the console. Controls are located 
on, below, or around the displays and 
must be readily identifiable. Clear label- 
ing, color-coding, well-spaced grouping, 
and coding by shape accomplish this 
identification. Labels should be large 
enough to be clearly identifiable. Locating 
a control near the appropriate display 
minimizes searching and eye movement. 
Touch panels locating controls on the 
display eliminate the need for many other 
control devices. 

System consoles should provide a 
visual signal in conjunction with any 
audible signals. A visual signal, such as a 
flashing light or blinking message, should 
be used to identify the significant infor- 
mation. Colored lights or indicators 
display the status of alarms more clearly. 
For example, traffic light colors of red, 
yellow, and green are easily recogniz- 
able as indicators for alarm/action, 
caution/abnormal, and proceed/normal, 
respectively. 

Support equipment should be located 
in relation to its importance and fre- 
quency of use. Communications equip- 
ment such as microphones, telephones, 
additional CCTV monitors, and controls 
must be given the console space necessary 
for their functions. Equipment that is 
not necessary for display and control 
functions should not be located in the 
operator's immediate workspace. Locating 
computers and automatic control cir- 
cuitry (i.e., CCTV switching equipment 
and communication electronics other 
than microphones and controls) in a 
separate room offers several advantages. 
More space can be available for mainte- 
nance personnel and operator activities 
are not interrupted by maintenance. Dis- 
tracting noises, such as fans, are reduced. 
The equipment can be secured from unau- 



thorized tampering, and equipment envi- 
ronment conditions can be different from 
those of the operators (e.g., equipment 
may have additional cooling and humid- 
ity requirements). 

When more than one person at a time 
operates the console, it is necessary to 
consider the interrelationships among the 
operators and equipment. Essential equip- 
ment should be duplicated for each oper- 
ator, but operators should have common 
access to secondary or infrequently used 
equipment. 



Ergonomics — Graphical Displays 

Well-designed graphical user interfaces 
(GUI) provide a capability for enhanced 
display of security alarm information 
in computer-based systems. Conversely, a 
poorly designed interface can quickly 
overwhelm an operator. This section 
describes types of graphical information 
that can be displayed on a computer 
monitor screen and offers guidance on 
how best to display that information. 
Limits on the complexity of the user inter- 
face are proposed, and guidelines are 
suggested for the display of maps and 
sensors. 

Foremost, a good graphical annunciator 
has a limited number of features. Current 
GUIs provide a wealth of features for 
displaying information. A good display 
limits the ways information is displayed 
and places constraints on which opera- 
tions are allowed. 

The window, a rectangular region on 
the display screen, is the primary method 
of displaying information in today's GUI. 
A window can be any size up to and 
including the entire display screen, and 
multiple windows can be visible at any 
one time. A window can contain text, 
graphics, or controls. Multiple windows 
of various sizes allow maximum flexibil- 
ity when displaying information. A good 
alarm display, however, should limit the 
size and number of windows. No more 
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than three windows should be visible 
at any one time. One of these windows 
should be the full size of the screen and 
should contain an overview of the system 
status. A smaller window containing sub- 
ordinate information can be displayed 
as needed. Subordinate windows should 
never be larger than one-half of the screen. 
A third window may be displayed that 
contains menus or other operational con- 
trols. Limits on the number and size of 
windows allow operators to quickly find 
important information. Windows should 
not have to be resized or moved to view 
information. 

A menu is a list of available commands. 
When a command is selected, a function 
is performed. Menus are usually displayed 
along the top of a window and can be 
nested. That is, selecting an item causes a 
subordinate menu to be displayed with 
additional items. Menus provide a clear 
and concise method of organizing system 
commands. A menu structure should not 
be too large or over-nested. A good menu 
should have no more than nine items 
and should not be nested more than three 
levels. Users tend to get lost in deeply 
nested menus. Limiting the number of 
items in a menu reduces the time required 
to find a particular item, and limiting the 
number of nested levels makes a menu 
structure easier to use. Complicated menu 
structures are intimidating to new users, 
and experienced operators find them 
annoying. 

Although menus can display system 
commands in an easy-to-use structure, 
common commands should not be placed 
in menus but should be available as 
buttons. A button simulates the action 
of a pushbutton switch. An operator can 
push a button to initiate system action. 
Depressing a mouse button or key on 
the keyboard activates the buttons. Only 
the most important commands should be 
placed on buttons, and only those 
commands that are valid in the current 
context should be available. Buttons can 
be very flexible. Sensor or map icons can 



be made to act as buttons. Buttons can be 
grouped into button bars. A button bar 
organizes buttons into a single area on 
the screen for ease of access. Buttons can 
be context sensitive, although changing a 
context button should be done in a con- 
sistent manner. Generally, if a button is 
performing the same function on different 
screens the location of the button should 
not move, but some systems change the 
button function based on context. Good 
examples are the access and secure func- 
tions for a sensor. If a sensor is in the 
secure state we might show an access 
button. However, if the button is in the 
access state it makes no sense to show 
an access button. In this case, it is more 
appropriate to show a secure button, to 
allow the operator to change the state of 
the sensor automatically. Some systems 
display the access or secure button in 
the same location on the screen, but only 
the appropriate button is visible based on 
context. If they are used correctly, context 
sensitive buttons can help the user inter- 
face, but perhaps the best use of con- 
text dependent controls is to direct the 
user's actions. Good user interfaces only 
allow the operator to control functions 
that make sense based on the system state. 
If there are no sensors in alarm, it makes 
no sense to allow the user to assess an 
alarm. This type of context sensitive user 
interface is a great aid in making the 
AC&D system easy to use. Button flexibil- 
ity must not be overdone. Visible buttons 
should be limited to a maximum of nine. 
Buttons should have good descriptive text 
labels that indicate their function. 

The primary advantage of GUIs is the 
capability to display maps or graphics 
of the secured area. Maps allow the user 
to quickly relate a security alarm to its 
location. Several map sources are possi- 
ble, and all of these sources fall into one 
of two groups: either scanned copies of 
paper media, or electronically created 
graphics. 

Either group provides a useful graphic 
for alarm annunciation. Of all the possi- 
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ble graphics sources, the best is a stylized 
sketch based on a topographic map or 
other hard-copy map. Standard maps 
usually have too much detail for effective 
use in security applications. Effective dis- 
plays require small-scale maps of about 
1:5,000. An operator can create a sketch 
based on a larger-scale map and can elim- 
inate unnecessary detail, while providing 
the necessary scale. Any maps provided 
for annunciation should be interactive. In 
other words, the system should represent 
sensors on the map and provide mecha- 
nisms for the operator to display and 
control those sensors by performing oper- 
ations on the graphic. 

To support an interactive map, sensors 
or sensor groups should display on the 
graphic. All sensor graphics or icons 
should use the same graphic, be the same 
size, and use consistent colors. When 
feasible, the sensors should be displayed 
together as a single icon. This type of 
display can reduce screen clutter. No map 
should contain more than 50 sensor or 
group icons, although the total number of 
sensors displayed can vary based on the 
complexity of the map graphic. A sensor 
icon should represent the associated 
sensor, and sensor states should be dis- 
played using unique colors and shapes. 

Grouped sensor icons should indicate 
the state of the worst-case sensor associ- 
ated with the group. For example, if any 
sensor in the group is in alarm, the group 
icon should indicate an alarm. A sensor 
in alarm could be the worst-case sensor 
state, but other sensor states are possible 
and should be displayed. 

Graphically displaying information on 
a map does not eliminate the need for 
textual display of information. Dedicated 
areas of the display should be provided 
for descriptions of sensors. A good system 
will also provide some type of online or 
quick help. Also, text should be limited 
to vital information only; details can be 
placed in subordinate windows. 

Although color can be an effective aid 
in highlighting important information, it 



should be used sparingly. A user should 
not be dependent on colors to operate a 
system, since about 10 percent of the 
population have some form of color blind- 
ness. The number of colors should be 
kept to seven or fewer. Every additional 
color visible on the screen adds to the per- 
ceived complexity of the display. Menus, 
buttons, and backgrounds should be in 
consistent shades of color, with gray being 
a very common color choice. Maps should 
be black and white or use low-saturation 
colors. The primary colors should be 
reserved to indicate sensor status — red for 
alarms, yellow for access, and green for 
secure status. 

The overriding design philosophy for 
any security system must be operator first. 
Operators must always be in command 
of the system. To achieve this goal, follow 
these design rules: 

1. Minimize the number of actions 
required to perform any command. 
An operator should only have to 
click the mouse once or depress a 
single key for any major operation. 

2. Only valid operations, based on 
context, should be available. For 
example, the operator should not be 
able to access a sensor if it is already 
accessed. 

3. The system should use prompts to 
guide the operator through com- 
plex operations. A context-based 
command selection (see item 2) 
could be used to direct operators' 
actions without removing their 
control. 

4. Annunciator systems should never 
override an operation in progress. If 
the user is assessing an alarm, then 
the system must never replace the 
information currently present for 
assessment to notify of a new alarm. 
The assessment should continue, 
and a nonintrusive notification of 
the new event should occur. The 
operator can then decide whether 
or not to abort the current oper- 
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ation. This principle applies in all 
situations. 

5. Systems should not annoy the 
user. Avoid using loud, continuous 
alarms or bright, flashing displays. 
The user is the most important factor 
to successful system operation. 

6. Options should be available for 
performing any single command. 
What is simple for one user may be 
complex for another. Commands 
available as menu items, buttons, 
and keystrokes result in a friendlier 
system; the user could then select 
the preferred method. 

The purpose of any AC&D system is to 
enhance site security. If a system fails in 
its security task, then it is a failure as 
a system. Fancy graphics cannot salvage 
an ineffective system. A simple-to-use 
system is much more likely to succeed 
than an unnecessarily complex one. Con- 
sider a simple user interface and limit the 
total number of maps, sensors per map, 
buttons, menus, dialog boxes, and colors. 



Assessment 

Figure 9.7 shows a typical operator's 
console for an effective control and dis- 
play subsystem. The horseshoe shape of 
the equipment bay allows the operator to 
view and reach all racks conveniently. 
The console provides all functions 
necessary to: 

• assess alarms 

• use the CCTV subsystem 

• request system status 

• change sensor state 

• reconfigure console monitors 

• log into the system 

• recalibrate any touch-sensitive 
panels on the CRTs to initiate 
sensor self-tests 

• select the primary or standby mode 
of operations 

• issue duress alarms 

• silence audible alarms 

Graphics Monitors 

In a computer-based AC&D system, one 
color graphics monitor is situated directly 







Figure 9.7 State-of-the-Art AC&D System. Components are placed to make the operator 
most effective 
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in front of the operator seated at the 
console. Under normal operating condi- 
tions, the monitor displays the site 
map. The site map indicates the overall 
security status of the facility and func- 
tions as a locator for selection of 
detail maps. 

The site map is a symbolic represen- 
tation of the entire facility. The map dis- 
plays messages concerning the security 
status of the facility and presents but- 
tons by which commands are given to the 
system. Perimeter sectors and vehicle 
gates are reproduced in their relative 
positions. Sensored buildings are drawn 
to represent their relative sizes, shapes, 
and positions within the facility and are 
identified by building number. Selecting 
a building or perimeter sector causes 
its detail map to appear on the graphics 
monitor. Note that the map is a stylized 
sketch of the site and not an actual 
scale drawing of the site. The site map 
should show a large-scale representa- 
tion of the facility with only those 
elements necessary for the security 
functions shown. 

The detail maps are representations of 
buildings, areas within buildings, and 
perimeter sectors. Buttons across the 
bottom of each map allow the input of 
commands to the system. Such maps 
show the locations of sensors and cameras 
and are available for all buildings con- 
taining sensors and cameras as well as 
for all perimeter sectors. The symbols for 
cameras and sensors can be touch- 
sensitive, allowing their use for entering 
commands to the system. The buttons at 
the bottom of the display may also be 
touch-sensitive and provide an alternate 
method for entering commands. 

CCTV Monitors 

Four black-and-white CCTV monitors are 
included in an automated AC&D system 
design to allow operators to view scenes 
generated by the site cameras. Three 
monitors automatically display scenes for 
alarm assessment or scenes manually 



chosen by the operator for status determi- 
nation. One monitor is available for 
assignment by the operator and is nor- 
mally used for surveillance rather than for 
alarm assessment. Figure 9.8 shows the 
arrangement of these four monitors. 

One primary CCTV monitor displays 
live video coverage of the highest priority 
alarm zone, while the monitor next to it 
replays the images that were automati- 
cally recorded when the alarm occurred. 
If additional alarms are awaiting assess- 
ment, a third monitor displays alarm 
scene coverage for the alarm that has been 
assigned the next highest priority by the 
system. The fourth monitor is always 
available for manual use by the operator. 
The system designer must decide whether 
the three automatic CCTV monitors will 
only display an image on an alarm or will 
always present some video information. 
The most effective systems will only 
display scenes of zones that need assess- 
ment of an alarm. The system should 
allow the operator to switch video to any 
monitor, but this selection should be over- 
ridden in the event of an alarm. 
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Figure 9.8 Arrangement of CCTV Moni- 
tors in a Display Console. Monitor 1 
shows the current live image of the zone 
with the highest priority alarm; Monitor 2 
shows the recorded video of the same 
area; Monitor 3 displays the recorded 
video of the next highest priority alarm; 
and Monitor 4 is available for operator 
use 
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Input Devices 

The operator can communicate with the 
control and display system through the 
use of one or more input devices. Such 
input devices include a typewriter key- 
board, a function keyboard, a touch- 
screen, a mouse, or a track ball. The 
appropriate input device should be 
selected for the intended use. The input 
command structure should be designed to 
be natural and easy to use, and should 
also be protected against input errors. 

A CRT display often employs a type- 
writer keyboard for input. Keyboards 
are best suited for lengthy input requiring 
alphanumeric input, such as password 
entry, assessment annotation, or combina- 
tions of letters, numbers, and other keys 
that supply commands and queries. The 
use of such a keyboard may be unsatis- 
factory for several reasons. 

Operator commands that are not chosen 
naturally make the system difficult to 
learn and confusing to operate (e.g., 
typing the letters ACK for acknowledg- 
ment). Requiring several keys to specify a 
zone or command increases the opportu- 
nity for error and degrades operating 
speed. Small, closely spaced keys also 
promote errors. Confusion between I and 
1, between O and 0, and between upper 
and lower cases may occur. A system that 
is intolerant of input errors may produce 
results ranging from annoyance and time 
loss to a complete loss of operator control. 

A special-purpose keyboard, on which 
each key is clearly labeled to identify 
its function, may be a preferable input 
device. Function keyboards are effective 
for rapidly entering security responses, 
such as acknowledge or secure. A limited 
range of computer inputs improves 
system security. The design should 
provide the operator with only enough 
keys to perform tasks. If a standard key- 
board is necessary for computer program 
modification, then the keys that are not 
necessary for day-to-day operation should 
be covered or ignored by the system. 
Desirable keyboard features are tactile 



feedback in which the operator can tell 
that the key has been depressed enough 
to be activated, audible feedback, and 
instantaneous response. 

A touchscreen overlaying a CRT display 
is the most versatile and easy-to-use input 
device. Input simply requires touching 
the appropriate words or symbols dis- 
played on the screen. Touch panels are 
used for command entry because it is 
natural to point to a location on a map. 
Entering a command by pointing is less 
error prone than typing the command 
at a keyboard. Touchscreen technology, 
however, is fairly expensive. As computer 
use has become more prevalent, the use 
of a mouse or trackball is a more cost- 
effective method. 

Personnel at some facilities prefer to 
use a computer mouse or trackball for 
entering commands on a CRT display. 
This tendency has increased in recent 
years with the advent of the personal com- 
puter. The mouse or trackball is used to 
move a pointer to the appropriate symbol 
on the screen. Pressing a switch on the 
mouse enters the desired command. Often 
a system will have more than one type of 
device for operator input. 

Operator Interface 

The operator interface is utilized to 
communicate with and control the AC&D 
system. Lighted pushbuttons should only 
be used with small systems. Commercial 
interfaces are available to support a key- 
board, a mouse, or a touch panel as an 
interactive device for computer-driven 
displays. 

Many agencies require not only a record 
of the information received from the 
alarm system but also of the actions taken, 
judgments made, and the parties respon- 
sible for legal purposes. Keeping a manual 
record of such information is feasible 
for small AC&D systems, but provision 
should be made for automatic record 
keeping in computer-driven systems. A 
full keyboard provides flexibility in such 
record keeping but consumes significant 
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time in an environment requiring rapid 
interaction. A preferred approach utilizes 
mouse or touch-panel selection of prede- 
fined messages. 



Offline Systems 

This section describes several simple sub- 
systems that perform noncritical fun- 
ctions for the AC&D system. These 
subsystems are noncritical because they 
are not necessary for the AC&D system to 
perform its primary function of display- 
ing and controlling alarm points. Offline 
systems are critical for configuration and 
maintenance of an AC&D system. 

Event Logs 

The purpose of the event logging system 
is to record all events that happen on 
the AC&D system. An event is any sensor 
change, operator command, or operator 
assessment. System failures also generate 
events. All events are saved on the 
system for possible later review. Each 
event is tagged with the current date 
and time. 

A logging system is useful for record 
archiving and performing system mainte- 
nance. As noted above, many facilities 
have a legal need to archive event 
information. Maintenance personnel can 
review historical logs of sensor activa- 
tions. Analysis of the log data can disclose 
sensors that are out of alignment, or 
expose sensors that have long-term 
problems. 

The logging system may also be used to 
assess operator performance. When all 
operator commands and actions are 
logged on the system, analysis of the event 
logs can reveal how well specific opera- 
tors are handling AC&D operation. Such 
operator assessments can be used to tailor 
refresher-training courses. 

If enough detail is recorded in the event 
logs, the logs can be used to generate 
training scenarios. As actual alarm data is 
received, it is recorded in the event log. 



With a flexible logging system, alarm acti- 
vation events from the log can be played 
back to an operator as if they are real 
alarm events. A playback system also 
allows the event logging system to be used 
as a training tool for operators. The event 
logs can also be used after the fact to 
reconstruct the events leading up to an 
adversary intrusion. 

Use of Databases 

Many systems keep event data in a rela- 
tional database. The use of a database 
allows more than one console to view 
log information. This ability can be most 
useful because while the system is 
running maintenance, training, or super- 
visory functions, personnel can be 
viewing the event logs. 

Event Printer 

Many AC&D systems use a printer for 
each system event. This event printer pro- 
vides a hard-copy backup of the event log. 
Also, operators can make use of the hard- 
copy events to generate shift reports or 
review previously assessed alarms. With 
modern computer hardware and redun- 
dant storage systems, the event print may 
be unnecessary. However, many operators 
are comfortable with the event printer 
and use it in daily operations. If the AC&D 
system provides a supervisor's console for 
viewing event logs, the designer should 
consider eliminating the event printer. 

Supervisory Consoles 

A supervisor's console may be employed 
by an AC&D system for retrieval of previ- 
ously stored data. This database console 
provides a means of retrieving system 
event logs and generating reports. Super- 
visory consoles allow authorized users 
to configure the AC&D system, review 
and analyze event data, and act as back- 
up display consoles. Adding extra con- 
soles allows supervisors and maintenance 
personnel to perform their functions 
without interrupting the primary AC&D 
operators. 
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AC&D System Design 



AC&D systems are the glue that holds the 
PPS together. AC&D systems must inte- 
grate with a variety of other systems and 
must do so in a seamless manner. This 
section describes how an AC&D system 
must integrate with other components of 
the PPS. AC&D systems usually connect 
to the entry control systems, assessment 
systems, and operators. In addition, the 
AC&D system must have a redundant 
design so that it is robust. AC&D systems 
must also integrate with operational pro- 
cedures so that users know how to use the 
system effectively. 

Interface with Entry Control 
Systems 

In a high-security system, intrusion de- 
tection functions and data handling must 
always take precedence over any other 
system or event. This precedence in- 
cludes entry control, for which functions 
are less critical because a decision to grant 
a user normal access to an area can be 
delayed for a few seconds without a sig- 
nificant operational impact. Intrusion 
attempts must be communicated immedi- 
ately for the security forces to have time 
to intercept the intruder. Intrusion detec- 
tion events have a higher priority than 
entry control events, and thus an inte- 
grated AC&D system must handle security 
events before any others. 



Integration with Assessment 
Systems 

AC&D systems should employ CCTV 
cameras to provide visual surveillance of 
the facility and rapid remote assessment 
of the causes of intrusion alarms. CCTV 
systems often use video recorders or 
digital frame-grabbers to provide an 
instant replay of an intrusion upon an 
alarm. Recordings of video coverage can 



also be saved for later evaluation or doc- 
umentation. A computer-controlled video 
routing switch drives the subsystem. 
The signals from any camera, recorder, or 
frame-grabber can be displayed on any 
monitor. 

When an intrusion alarm is generated, 
the CCTV subsystem rapidly records 
scenes of the assessment zone. When an 
alarm is displayed for assessment, both 
live and recorded CCTV scenes from the 
assessment zone are displayed. The AC&D 
system selects and automatically dis- 
plays the four to eight highest-priority 
assessment scenes for video recording 
when more than four simultaneous al- 
arms occur. 

A VCR or digital frame-grabber records 
critical scenes for post-incident analysis. 
When high-priority alarms are received, 
all four images on assessment monitors 
are recorded or grabbed simultaneously 



System Security 

It is generally desirable to protect AC&D 
system data from interception by out- 
siders and from compromise by insiders. 
Outsider protection is primarily estab- 
lished by locating critical equipment 
inside the PPS boundary and by installing 
substantial barriers within the boundary. 
The outsider must cross the boundary and 
defeat the barriers before gaining access 
to significant system parts. At least one of 
each redundant part and all critical single 
parts of the AC&D system should be 
protected in this way. Access controls also 
restrict entrance into critical areas. 

Insider protection employs techno- 
logical and administrative measures to 
enforce control in all situations where a 
single insider could significantly compro- 
mise the system. Insider protection also 
uses technology to detect when proce- 
dures or technologies indicate possible 
compromise of sensitive system compo- 
nents, and to respond appropriately to 
such conditions. This response may 



Alarm Communication and Display 



167 



involve a technological appraisal of the 
system or dispatch of a guard to an inci- 
dent location. 

Administrative measures can provide 
insider protection for such common 
activities as system maintenance and 
console operation. Access controls limit 
an insider's access to critical equipment. 
Some facilities implement the two-person 
rule for system maintenance, while other 
facilities require an extensive system 
check following any activity during 
which the system could have been com- 
promised. Configuring the AC&D system 
to incorporate accountability for actions 
provides a restriction on malevolent activ- 
ity by the persons making decisions. 

Technological measures for insider pro- 
tection include line supervision on sensor 
communication and digital encoding on 
databases. Tamper indicators limit access 
to processors and displays. Encryption 
technologies are available and can be used 
on critical communications lines that pass 
outside of protected areas or require 
higher levels of security. Use of encryp- 
tion technology should be limited to 
those areas of critical need because of the 
high maintenance for distributing encryp- 
tion keys. 



Many sites reduce operator loading 
by having several operators in the con- 
trol center. Each operator has an AC&D 
console, a telephone, and a radio. The 
work is divided among operators in a pre- 
arranged fashion. Dividing the work 
among several persons reduces individual 
workloads, but may cost more. Another 
scheme for reducing workloads relies 
on a secondary alarm center to handle 
routine matters (such as nonemergency 
calls and making badges) while the 
primary alarm center handles all off- 
normal activity. This planning keeps the 
primary center operators focused on high- 
priority events while allowing all events 
to be handled. 

The AC&D Console as an 
Overload Source 

AC&D consoles must be carefully de- 
signed to prevent information overload of 
the operator. AC&D systems can be very 
large. It is extremely difficult to present an 
operator with an entire system status on 
one display. Use of the proper display 
technologies, display techniques, priori- 
ties, console ergonomics, and system 
hierarchies all play a part in how well 
operators handle information. 



Operator Loading 

AC&D systems must be easy to use. As 
previously stated, the single most impor- 
tant measure of AC&D effectiveness is 
how well the system communicates alarm 
data from sensors to the system operator. 
If the operator's mind is occupied, then 
AC&D effectiveness is compromised. 
Operators must have time available to 
handle AC&D alarms. Operators must not 
be loaded with ancillary tasks that pro- 
hibit proper attention to the display. Oper- 
ators who handle the telephone, the radio, 
write reports, deal with personnel access, 
make badges, and operate the AC&D 
console may be overloaded and can miss 
important events. 



Event Conditions 

An AC&D system must be able to operate 
in different environments and conditions, 
and operators must be effective in all 
three. Table 9.2 summarizes and compares 
these conditions. 

Most systems handle normal and ab- 
normal conditions without problems, and 
operators are not overwhelmed with data. 
Good systems handle malevolent situa- 
tions equally well. The system presents 
data in a prioritized manner and limits the 
data displayed to that which the operator 
needs for job performance. The ultimate 
test of a high-security AC&D system is 
how well it handles malevolent situations 
without overloading the operator. Lower- 
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Table 9.2 Event Situations at a Facility. 



There are three expected operating states at a facility — normal, abnormal, and 
malevolent. 



Normal Conditions 



Abnormal Conditions 



The site is operating normally. Common day-to-day site operations are 
being performed properly. No special circumstances or conditions are 
present. 

Some abnormal conditions are present. Operators are handling such 
abnormal conditions as single sensor faults, safety-related events, bad 
weather, etc. 



Malevolent Conditions Adversary attack or many abnormal conditions are present. The total of 
abnormal conditions is extreme. 



security systems may be able to tolerate 
higher operational loads, but should still 
be driven by the need to make the opera- 
tor most effective. 

AC&D systems must be reliable. Every 
component of an AC&D system is subject 
to some kind of failure. It is essential to 
determine which components are likely to 
fail and the effect such a failure would 
have on the system. Backup equipment 
and procedures must be provided to 
maintain the desired level of security. 
Backup equipment can operate full-time 
in parallel with the primary system, or it 
can be activated by automatic or manual 
switchover. Backup protection and cover- 
age can be provided entirely by increasing 
the use of manpower. When priorities 
and procedures for backup operation 
have been established, security per- 
sonnel must practice the procedures on a 
regular basis. 

Consoles 

AC&D systems are often designed with 
two operator's consoles. Such equipment 
redundancy provides hardware reliability 
because the system can be operated 
equally well from either console. In some 
cases, the consoles improve human relia- 
bility by implementing the two-person 
rule, which requires each action to be per- 



formed by both operators. In this situa- 
tion, an equipment failure at either sta- 
tion disables the system. An intermediate 
approach allows the system to be operated 
from a primary station with oversight 
surveillance at a secondary station. The 
secondary station can assume the primary 
function in case of equipment or person- 
nel failure at the primary station. 

Computers 

To be effective, the AC&D system must 
be computer-driven but not computer- 
dependent. Failure to provide redun- 
dancy for operational functions makes the 
system computer-dependent. Redun- 
dancy is readily available today because 
computer-processing power is relatively 
inexpensive. 

The use of two host computers, as in a 
typical automated AC&D system, provides 
system redundancy. A primary console 
is connected to the main computer, and 
a secondary console is connected to the 
backup computer under normal operat- 
ing conditions. If the main computer fails, 
then a bus switch automatically connects 
the primary console to the backup com- 
puter. The security operators are notified 
of the switch, but operations continue 
normally. Both consoles are unavailable 
only when both hosts fail. 
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Uninterrruptible Power 

Computer-based systems require highly 
reliable electrical power in order to func- 
tion properly. Battery-driven, uninter- 
ruptible power supply (UPS) systems 
prevent momentary outages at the com- 
puter. Long-term power sources such as 
diesel generators can handle outages 
greater than a few minutes or an hour. 
Besides the AC&D computers, other sub- 
systems may be driven by the UPS to 
ensure the reliability of the AC&D system. 
The communication subsystem, individ- 
ual sensors, and even lighting may be pro- 
vided with such backup power. 



Shared Components 

Although many of the AC&D components 
are redundant, to allow for the possibility 
of component failure, some components 
do not have duplicates. For example, 
duplication of the CCTV subsystem is 
very expensive, so it is seldom provided. 
Such components are placed on a shared 
bus that is normally connected to the 
main computer. The bus switch auto- 
matically connects the shared bus to the 
backup computer if the main computer 
fails. As long as one of the host comput- 
ers is functioning, the shared components 
are available. An arbitration scheme 
defines which command center will exer- 
cise control over shared resources in a 
particular situation. If additional security- 
related computer-based functions (e.g., 
badging systems) are required, they 
should operate on separate systems. Data 
from these systems may be shared with 
AC&D systems. 



Compatibility with Operational 
Procedures 

The hardware system must agree with 
procedures and regulations. Regulations 
are written to make sure that minimum 



requirements are met. Procedures, estab- 
lished by site managers, are statements of 
rules to be followed and include respon- 
sibilities of personnel to produce an effi- 
cient and effective protection system. It is 
necessary to determine what equipment 
is needed to implement procedures and 
how the proposed equipment will affect 
the existing procedures. 

Selection of tamper/line-fault detection 
capabilities is an example of the impor- 
tant interaction between equipment and 
procedures. If indications of tampering 
or line faults are routinely ignored, then 
the equipment purchased to provide these 
capabilities is essentially wasted. How- 
ever, if reports are prepared for main- 
tenance personnel because of tamper/ 
line-fault indications, then true hardware 
problems will be corrected, and some 
instances of malevolent tampering may 
be discovered after the fact. The full 
benefit of tamper/line-fault detection 
capabilities will only be realized by a 
response procedure that requires the 
system to be inspected when an indica- 
tion is received. Also, the likelihood of 
apprehending an intruder will be signifi- 
cantly increased. 

Summary 

The alarm communication and display 
system is a key element in the success- 
ful and timely response to a threat. The 
system controls the flow of information 
from sensors to the operator and displays 
this information quickly and clearly. The 
alarm communication and display system 
collects alarm data, presents information 
to a security operator, and enables the 
operator to enter commands to control the 
system. The ultimate goal of the display 
system is to promote the rapid evaluation 
of alarms. This chapter discusses commu- 
nication, information handling, control 
and display devices, equipment place- 
ment, the assessment system interface, 
operator loading, and offline equipment. 
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An alarm communication and display 
system should provide the following: 

• Fast reporting time — if something is 
happening, the operator is informed 
quickly. 

• Line supervision of all cables. 

• Easy and quick discovery of single- 
point failure — once discovered, it 
should be repaired, or at least iso- 
lated, without affecting the entire 
system. 

• Isolation and control of sensors — a 
path should be provided so that indi- 
vidual sensors can be checked and 
isolated. 

• Expansion flexibility — accommodat- 
ing new sensors in a computer 
system should be easy; the commu- 
nication network should have the 
same sensor expansion capability. 

Finally, an alarm communication and 
display system is an integrated system of 
people, procedures, and equipment. The 
equipment collects alarm data and pre- 
sents the information so that people can 
quickly assess the alarms. Design of the 
system must address what information is 
presented to the operator, how the infor- 
mation is presented, how the operator 
communicates with the system, and the 
arrangement of the equipment at the 
operator's workstation. Operators then 
respond to the data according to approved 
procedures. The system may be a simple 
alarm panel display or a complex multi- 
computer control and communication 
system. In either case, the system must be 
designed with the specific needs and 
resources of the site in mind. 

Security Principles 

AC&D systems are used to reduce the load 
on human operators to assist their perfor- 
mance during a malevolent event. 

The alarm communication subsystem 
collects and sends information to the 
operator. 



The alarm control and display sub- 
system processes information and pre- 
sents it to the operator quickly and 
clearly. 



Reference 

International Telecommunications Union 
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Available at: http://www.itu.int/ 
publications/telecom. htm. 



Questions 



1. Discuss the following application 
considerations: 

a. A means of detecting a system 
failure (for example, line 
supervision) must always be 
provided. 

b. Backup power is essential. 

c. Spare equipment must be stored 
on site. 

d. Trained maintenance personnel 
are essential. 

e. The console arrangement must 
be easy for an operator to learn 
and use. 

f. Consoles that require lengthy 
command formats to be keyed 
into a computer should not be 
used in an AC&D system. 

g. The use of delicate equipment or 
software that is easily broken or 
disabled by careless operator 
actions should be avoided. 

2. In what kind of situations would it 
be most logical to use a star com- 
munication network? A loop com- 
munication network? 

3. What are the reasons for using 
a supervised alarm communication 
link? 

4. What techniques can be used for 
physical protection of alarm com- 
munication lines? 
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5. What information does the console 
operator need when an alarm 
occurs? 

6. What equipment is needed for dis- 
play and control? 

7. Who should be on the project design 
team at your facility? 



8. What are the advantages and dis- 
advantages of independent subsys- 
tems for alarm communication and 
display? 
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An entry control system allows the move- 
ment of authorized personnel and ma- 
terial into and out of facilities, while 
detecting and possibly delaying move- 
ment of unauthorized personnel and con- 
traband. Entry control elements may be 
found at a facility boundary or perimeter, 
such as at vehicle gates, building entry 
points, or doors into rooms or other 
special areas within a building. 

The objectives of an entry control 
system used for physical protection are: 

• to permit only authorized persons to 
enter and exit 

• to detect and prevent the entry 
or exit of contraband material (wea- 
pons, explosives, unauthorized tools, 
or critical assets) 

• to provide information to security 
personnel to facilitate assessment 
and response 

In this text, entry control is defined as 
the physical equipment used to control 
the movement of people or material into 
an area. The term access control refers to 
the process of managing databases or 
other records, and determining the param- 



eters of authorized entry, such as who or 
what will be granted access, when they 
may enter, and where access will occur. 
The terms are often used interchangeably 
in industry; however, there are advantages 
to differentiating between the two. Many 
industrial access control systems include 
software to manage the database of 
those having authorized access, as well as 
the physical means of restricting entry 
or exit. Because the technical issues 
associated with the installation and use 
of entry control equipment are different 
than the administrative controls required 
to manage authorized access, they re- 
quire separate consideration in order 
to achieve an effective and integrated 
subsystem. 

The performance measures of entry 
control subsystems include throughput 
and error rates. Throughput is a measure 
of the time it takes for an authorized 
person or material to successfully pass an 
entry or exit point. Technology com- 
ponents that require longer throughput 
times may not be applicable in all situa- 
tions, such as entry to an industrial facil- 
ity at shift changes. Error rates will be 
discussed in more detail in the section 
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below entitled "Personnel Identity Verifi- 
cation (Biometrics)." 

Personnel Entry Control 

Personnel entry control is the portion of 
an entry control system used to authorize 
entry and to verify the authorization of 
personnel seeking entry to a controlled 
area. This verification decision is usu- 
ally based on determining whether the 
person (1) is carrying a valid credential, 
(2) knows a valid personal identifica- 
tion number, or (3) possesses the pro- 
per unique physical characteristic that 
matches the person's characteristic 
recorded at enrollment (biometrics, such 
as fingerprint, hand geometry, etc.). These 
three concepts are summarized as what 
you have, what you know, and what you 
are. With the exception of biometric 
devices, entry control devices may be 
used independently of the authorized 
person. A physical characteristic match 
will verify the person's identity; a cre- 
dential or an ID number only verify that 
the person requesting entry has a valid 
credential or knows a valid number. Com- 
binations of entry control technology can 
be used effectively to protect access to a 
facility. These combinations can reduce 
throughput, but will make the system 
harder for an adversary to defeat. Methods 
of personnel entry authorization that will 
be discussed include personal identifi- 
cation number, credentials, and positive 
personnel identity verification or 
biometrics. 

Personal Identification Number 

Systems are available in which a memo- 
rized number, referred to as a personal 
identification number (PIN), is used. To 
gain entry the user enters the PIN on a 
keypad. Some systems use a coded cre- 
dential to locate the reference file associ- 
ated with that badge number in the access 
control database. In this case, an individ- 



ual requesting access first inserts the 
coded credential and then enters a mem- 
orized number via a keypad. This number 
is compared to the one stored in the ref- 
erence file for that person. If the numbers 
are the same, the person is granted entry. 
The memorized number may be selected 
by the individual enrolling, or it may 
be assigned. A four- to six-digit number 
is commonly used. This simple method 
does have weaknesses: (1) an individual 
could pass the PIN and credential to an 
unauthorized individual; (2) the PIN 
could be observed surreptitiously by an 
adversary (shoulder surfing); or (3) the 
PIN could be obtained by coercion. In 
addition, people often write PINs down, 
making it easier for an adversary to obtain 
the PIN. 

There are two primary considerations 
for selecting a secure PIN. First, the PIN 
should be long enough, and second, the 
PIN should not be a number that is too 
meaningful to the individual to whom it 
is assigned. The PIN must have enough 
digits to prevent easy guesses. This is 
especially important where a PIN is the 
only criteria for granting entry. For a pop- 
ulation of a few hundred, a four-digit PIN 
should be sufficient. Four digits allow for 
a total of 10,000 combinations, which is 
much larger than the number of people in 
the population. The probability of guess- 
ing a correct PIN is low under these 
circumstances. 

If a person is allowed to choose his or 
her own PIN, choosing a PIN that is too 
meaningful to that person should be 
strongly discouraged. Birthdays, partial 
social security numbers, phone numbers, 
and other numbers may be easy for the 
individual to remember but may also be 
easy for an adversary to guess. Other easy 
numbers to remember like 1-1-1-1, 1-2-3- 
4, and similar sequences should also be 
avoided. 

Some systems provide a maximum 
number of PIN entry attempts before dis- 
allowing the credential or generating an 
alarm to the central control system. Using 
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the PIN in combination with credentials 
and biometrics helps to raise the level of 
security. 

Credentials 

There are many types of credentials used 
in personnel entry control. Those that will 
be discussed in this chapter are: 

• photo identification badge 

• exchange badge 

• stored-image badge 

• coded credential 

The first three require a manual check by 
a guard and require a high degree of 
vigilance. Coded credentials are checked 
automatically. 

Photo Identification Badge 

The photo identification badge is a 
common credential used for personnel 
entry control, but it is not always effec- 
tive. A false photo identification badge 
can be made, or an individual can make 
up their face to match that on a stolen 
badge in an effort to gain unauthorized 
entry. Also, because this kind of badge is 
manually checked, guard inattentiveness 
can reduce its effectiveness, especially at 
times when large numbers of people are 
entering a facility. 

Exchange Badge 

A badge exchange system requires that 
duplicate badges be held at each entry 
control point. When an employee pre- 
sents a badge and requests entry, a guard 
compares the individual to the photo on 
the corresponding exchange badge held 
at the entry control point. If the two 
match, the guard exchanges the badges 
and allows entry. The exchange badge 
may contain more information than the 
employee badge, and may be a different 
color. The employee's badge is held at the 
entry control point until the employee 
leaves the area, at which time the badges 



are again exchanged. In this way, the 
exchanged badge worn within the secure 
area is never allowed to leave the area. 
This reduces the possibility of a facility 
badge being counterfeited, lost, or stolen. 
The badge exchange system does not 
prevent someone from making up their 
face to match the image on a stolen badge 
in order to gain unauthorized entry. 

Stored-image Badge 

The use of a stored-image (video com- 
parator) system requires a guard to verify 
an individual's identity based on visual 
characteristics. A securely stored image is 
used for comparison with a real-time 
image of the individual requesting entry. 

Two of the most important features of 
such a system are enrollment capability 
and access time. Enrollment capability is 
the maximum number of images that can 
be stored by the system. The access time 
is the time required from entry of the 
identification number until the stored 
image is displayed for viewing. These 
systems use a coded badge or keyboard to 
find the stored image for display and 
visual comparison by the guard. 

Stored-image systems are not based on 
a unique, measurable characteristic, such 
as a fingerprint, so they are not consid- 
ered to be personnel identity verifica- 
tion. However, they have an advantage 
over manual photo identification systems 
in that it is difficult to tamper with the 
stored image. In this way, the stored- 
image system is comparable to badge 
exchange systems. 

Coded Credential 

Coded credential systems, also called 
key-card systems, are commercially avail- 
able with a wide range of capabilities, 
including: 

• maintenance of entry authorization 
records for each coded credential 

• provision of unique identification 
code numbers that can be read by a 
machine 
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• termination of entry authorization 
for an individual without the neces- 
sity of recovering that individual's 
badge or credential 

• provision for several levels of entry 
authorization, such as entry only at 
selected entry control points or only 
at certain times of the day 

Entry authorization records can be 
updated each time entry is requested 
using a coded credential. Each entry 
action and its time of occurrence, entry 
location, and the coded credential identi- 
fication number can be recorded and 
listed on request. Many coded credentials 
are in the form of a badge that is worn 
or carried while in a facility. A techni- 
cal introduction to the use and applica- 
tion of coded credentials is available 
(Wright, 1988). 

There are many techniques available 
for coding a badge. The most common 
techniques include magnetic stripe, 
wiegand wire, bar codes, proximity, and 
smart cards. 

Magnetic stripe encoding is widely 
used in commercial credit card systems. 
A strip of magnetic material located along 
one edge of the badge is encoded with 
data. These data are then read as the 
magnetic strip is moved through a slotted 
magnetic reader. The measure of the resis- 
tance of a magnetic material to changes in 
the stored information when exposed to 
magnetic field is called its coercivity. The 
coercivity is defined as the magnetic 
intensity of an applied field required to 
change the information. The unit of mag- 
netic intensity used to describe the coer- 
civity is the oersted. 

Two materials have been used as the 
magnetic stripe medium. The one most 
commonly used for credit cards is a 300- 
oersted (low-coercivity) magnetic mate- 
rial. This material is relatively easy to 
erase. The coercivity of the second mag- 
netic stripe material is in the range of 
2,500 to 4,000 oersteds (high-coercivity). 
This material is the one most commonly 



used in security credential applications 
and is very unlikely to be accidentally 
erased. Common household magnets are 
not strong enough to erase high-coercivity 
stripes. Less common rare-earth magnets, 
on the other hand, do produce field 
strengths strong enough to alter high- 
coercivity magnetic stripes. 

The use of alphanumeric encoding 
allows both the badge-holder's name and 
a badge number to be included. Creden- 
tial forgery is relatively easy since data 
from the magnetic strip can be decoded or 
duplicate badges encoded by the use of 
commercially available equipment. This 
vulnerability can be mitigated to a great 
degree through the use of proprietary, 
nonstandard encoding and reading tech- 
niques. The use of proprietary systems, 
however, may limit the ability to interface 
with other equipment or subsystems. This 
may also limit choices when considering 
upgrades or expansions. 

Wiegand wire technology has been in 
existence for some time, and the wiegand 
signal output format has become a de 
facto industry standard. The code is pro- 
duced by a series of parallel, embedded 
wires that have special magnetic proper- 
ties. The wires are typically arranged in 
two rows (see Figure 10.1). Encoding is 




Figure 10.1 Weigand Wire Badge. The 
metal wires produce a unique code 
that is determined when the card is 
manufactured 
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determined during card manufacture. 
Cards are swiped through a slotted card 
reader, much like the way magnetic stripe 
cards are read. This technology has a high 
degree of acceptance and use in the access 
control industry. 

The bar code, widely used in retail 
trade to automatically identify products at 
the point of sale, is sometimes used on 
coded credentials. The varying widths of 
the bars and spaces between them estab- 
lish the code. To read the card, an optical 
sensor scans the bar code and transmits 
the information to a decoding unit. Typi- 
cally, the bar code is printed on the cre- 
dential and is used in much the same way 
as a magnetic stripe. Unless the bar code 
is covered with an opaque covering, it is 
relatively easy to duplicate. This opaque 
covering is becoming more commonplace 
as the bar code badge moves into the secu- 
rity credential market. Two-dimensional 
symbologies (2-D bar codes) are also used 
on security credentials and are capable of 
storing more information than their one- 
dimensional counterparts. 

The proximity badge is one whose 
information can be read without the badge 
being physically placed into a reader 
device. Proximity badges can be classified 
by the method of powering the badge, 
operating frequency range of the badge, 
and read-only or read/write capability 
(Wright, 1987). 

The electronic proximity identification 
badge, a small RF transponder/transmit- 
ter, must be powered in some way. A long- 
life battery packaged with the unit powers 
active badges. For some types of badges 
the battery power is applied only when 
the badge enters the interrogation field. 
For others, the badge continuously broad- 
casts and the reader antenna picks up the 
RF data as the badge enters the reading 
field. The passive badge draws its power 
from the reader unit through the RF signal 
as it enters the interrogation field. 

Proximity badges fall into two groups 
according to frequency. The lowfre- 
quency badges are in the 125 kHz range, 



and the high-frequency badges range from 
2.5 MHz to over 1GHz. A read-only badge 
contains a specific code usually fixed at 
the time of manufacture and cannot be 
changed. The read/write badge, on the 
other hand, usually contains a larger data 
field than read-only badges and can be 
programmed by the system manager as 
required. The proximity badge of Figure 
10.2 has a transparent back showing the 
embedded components. 

While relatively new in the United 
States, smart-card technology has been in 
use for more than a decade in France. 
Smart cards are more appropriately called 
integrated circuit cards because some 
only contain memory circuits, while 
others include both memory and process- 
ing capability. The smart card is the size 
of a standard bank credit card with an 
integrated circuit embedded in the card. 
Gold contacts on the surface of the card 
(see Figure 10.3) allow for communication 
with a reading device. Cards with only 
memory circuits serve much the same 
function as magnetic stripe cards: badge 
number, user's name, and other informa- 
tion can be stored and read. A true smart 
card includes a microprocessor that 
makes the card smart and sets it apart 
from memory cards. The size of memory 
on the smart card ranges from 8 kilobytes 




Figure 10.2 A Passive Proximity Badge. 
The embedded coil and the RF chip are 
visible through the transparent back 
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Figure 10.3 Smart Card with Embedded 
Microprocessor. The processor contains 
specific user data, which gives this device 
high-security protection 



to 64 kilobytes, with projections of 1 
megabyte available in the future. 

The main advantages of the smart card 
are its large memory and its high degree 
of resistance to forgery or compromise. 
These advantages must be considered rel- 
ative to the high cost of smart cards. When 
facility populations are large and the 
security level is not extremely high, the 
cost of smart cards is prohibitive. 
However, issuing smart cards to a small 
population for use at a very high-security 
facility or to limit access to certain areas 
in large facilities may be appropriate. 
Examples of the latter case might be entry 
into areas containing precious metals or 
executive suites. A facility may also have 
extensive administrative concerns such 
as training, health care records, or prop- 
erty control; a smart card that combines 
one or all of these record-keeping func- 
tions with security features could be cost- 
effective. 

Personnel Identity Verification 
(Biometrics) 

Personnel identity verification systems 
corroborate claimed identities on the 
basis of some unique physical biometric 
characteristic(s) of the individual. Com- 



mercial equipment is available that uses 
hand or finger geometry, handwriting, eye 
pattern, fingerprints, speech, face, and 
various other physical characteristics. All 
personnel identity verification systems 
consider the uniqueness of the feature 
used for identification, the variability 
of the characteristic, and the difficulty of 
implementing the system that processes 
the characteristic. 

Biometric devices can differentiate be- 
tween verification and recognition. In 
verification mode, a person initiates a 
claim of identity, presents the specific 
biometric feature for authorization, and 
the equipment agrees. In recognition 
mode, the person does not initiate the 
claim; the biometric device attempts to 
identify the person, and if the biometric 
information agrees with the database, 
entry is allowed. 

Many biometric technologies use error 
rates as a performance indicator of the 
system. A Type I error, also called a false 
reject, is the improper rejection of a valid 
user. A Type II error, or a false accept, is 
the improper acceptance of an unautho- 
rized person. Often these error curves are 
combined and displayed graphically to 
show the equal error rate. This is the 
crossover point where Type I errors equal 
Type II errors. This point is not necessar- 
ily the point at which the device should 
be operated. The equal error rate does not 
occur at the point where Type I or Type II 
errors are both lowest. It is a figure of 
merit that may be useful when comparing 
various biometric devices. Figure 10.4 
shows an example of the graphical 
display of error curves and the equal 
error rate. 

When selecting or deploying biometric 
devices, consideration of the security 
objectives is required to assure that the 
device will operate as required. Some 
systems may be set to operate in an area 
where the device will minimize false 
rejects, whereas others may minimize 
false accepts. The device cannot minimize 
both error types simultaneously, so a deci- 
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Figure 10.4 Equal Error Rate Graph. The 
false accept and false reject occurrences at 
a specific sensitivity of a biometric device 
can be plotted and their crossover point 
determined. This point is not where the 
device should be operated but can be used 
as a figure of merit when comparing 
devices 



sion must be made as to the balance 
between false accept and false reject rates. 
This has a significant implication to 
system operation. A low false-accept rate 
compromises system security, but allows 
all authorized users entry. False rejects, 
on the other hand, can deny access to 
authorized users in order to maintain 
high security. The security manager will 
undoubtedly hear about the cases of false 
rejects, particularly if senior managers or 
other influential employees are denied 
access. Adversaries, on the other hand, 
are unlikely to report that entry was 
obtained due to false acceptance! 

Hand/Finger Geometry 

Personnel identity verification using the 
hand geometry system is based on char- 
acterizing the shape of the hand. The 
underlying technique measures three- 
dimensional features of the hand such as 
the widths and lengths of fingers and the 
thickness of the hand (see Figure 10.5). 

The hand-read sequence is initiated by 
presenting a coded credential or by enter- 
ing a PIN. The user then places the hand 
on a reflective platen; the device has guide 
pins to help the user properly align 
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Figure 10.5 Hand Geometry Measures. 
Certain aspects of the hand, such as 
widths and lengths of fingers and thick- 
ness of the hand are measured and used 
to create a user template 



fingers. Although the guide-pin arrange- 
ment is best suited to the scanning of right 
hands, the left hand can be enrolled and 
scanned by placing the left hand on the 
platen palm up. A solid state camera takes 
a picture of the hand, which includes a 
side view for hand thickness. Due to the 
combination of infrared illumination 
and the reflective platen, the image of 
the hand appears as a silhouette to the 
camera. The system measures the neces- 
sary lengths and widths and creates a rep- 
resentation of the hand called a feature 
vector. Figure 10.6 shows an example of 
a hand geometry unit. 

During verification, the feature vector is 
compared with previous measurements 
(the template) obtained during enroll- 
ment. If the feature vector and template 
match within an allowable tolerance, ver- 
ification is successful. Testing of a hand 
geometry system at Sandia National Lab- 
oratories indicates that Type I and Type II 
error rates of less than 1% are achievable 
(Holmes, Wright, and Maxwell, 1991). A 
report on the use of a hand geometry unit 
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Figure 10.7 Fingerprint Identification 
Unit. A PIN is entered into the keypad and 
the index finger is placed on the center 
reader. The system then compares the 
fingerprint to one stored in a file to grant 
access 



Figure 10.6 Hand Geometry Unit. The 
hand is placed on the platen and a small 
camera takes a picture. Specific measures 
are used to create a feature vector, which 
is compared to the stored user template 



in an operational environment has also 
been prepared (Ruehle and Ahrens, 1997). 
A similar system uses two fingers to 
verify identity. This two-finger geometry 
system measures finger lengths and 
widths of the index/middle finger pair. 
Because only one guide pin is used 
(between the two fingers), the left or right 
hand fingers work equally well. The func- 
tional concept of this device is similar to 
the hand geometry system. 

Handwriting 

Signature verification has been used for 
many years by the banking industry, 
although signatures are easily forged. 
Automatic handwriting verification sys- 
tems have been developed that use hand- 
writing dynamics, such as displacement, 
velocity, and acceleration. Statistical 
evaluation of these data indicates that an 
individual's signature is unique and 



reasonably consistent from one signature 
to the next. Transducers that measure 
these characteristics can be located in 
either the writing instrument or tablet. 
These systems provide low security and 
are best used in applications where autho- 
rizing signatures for a transaction are 
already in use. 

Fingerprints 

Fingerprints have been used as a person- 
nel identifier for more than 100 years and 
are still considered one of the most reli- 
able means of distinguishing one individ- 
ual from another. The art of processing 
human fingerprints for identification has 
been greatly improved in recent years by 
the development of automated systems. 
Such systems, which rely on image pro- 
cessing and pattern recognition, have 
application in personnel entry control. A 
variety of commercial systems are now 
available that perform fingerprint verifi- 
cation. Figure 10.7 is an example of a 
fingerprint verification system. 

Most fingerprint verification systems 
use minutia points, the fingerprint ridge 
endings and bifurcations, as the identify- 
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ing features of the fingerprint, although 
some systems use the whole image for 
comparison purposes. All fingerprint 
identification systems require care in 
finger positioning and accurate print 
analysis and comparison for reliable 
identification. 

Optical methods using a prism and a 
solid-state camera are most often used to 
capture the fingerprint image. Dry or worn 
fingerprints can be difficult to image using 
optical methods, so special coatings have 
been applied to the optical platens to 
enhance the image quality. The purpose of 
these coatings is to ensure a good optical 
coupling between the platen and finger- 
print. 

Ultrasound is another fingerprint im- 
aging method. Because it is able to im- 
age below the top skin surface to the 
lower layers where the fingerprint is not 
damaged, it is not as susceptible to dry or 
worn fingerprints. Due to the raster scan 
required by the ultrasonic transducer, 
ultrasound imaging is not as fast as optical 
methods. 

Direct imaging sensors that use solid- 
state devices are also available for acquir- 
ing fingerprint images. Capacitive, electric 
field, and thermal methods have been 
commercially developed. It is thought 
that the projected lower cost of these 
devices, due to the efficient manufacture 
of silicon chips, will make fingerprint ver- 
ification devices common on the desktop 
for secure computer log-on. Overcoming 
the difficulties of hardening delicate 
silicon chips for everyday use has delayed 
their widespread implementation. Elec- 
trostatic discharge, finger oil, and sweat 
are harsh on silicon devices. 

Eye Pattern 

The retina is the membrane lining the 
more posterior part of the inside of the 
eye. It contains light-sensitive cones and 
rods and nerve cells. A retinal scan 
identity-verifier is shown in Figure 10.8. 
The pattern of blood vessels in the body 
is unique, and the pattern on the retina of 




Figure 10.8 Retinal Scan Device. The 
user enters a PIN, then looks through the 
verifier and aligns a target. A scan of 
the retina is made and compared with the 
stored image 



the eye can be assessed optically through 
the lens of the eye. A circular path about 
the center of vision is scanned with a very 
low-intensity, nonlaser light from infrared 
light-emitting diodes (LED). The intensity 
of the reflected light versus beam position 
during the scan indicates the unique loca- 
tion of the retinal blood vessels. To enroll, 
the user must look into the verifier and 
stare at an alignment target while the 
optical scan is being made. Several such 
scans are usually taken and algorithmi- 
cally combined to create the reference 
profile. If the device is to be used in the 
verification mode, a PIN number is 
usually assigned at this time as well. 

Verification, which requires only a 
single scan, is done in a similar manner. 
The retinal scanner can also operate in 
recognition mode. In this mode, the entry 
of a PIN is not required. Because the entire 
enrollment file must be reviewed, verifi- 
cation processing time increases as the 
number of enrollees is increased. Data 
from an operational evaluation in a labo- 
ratory environment indicates that Type 
I and Type II error rates of less than 
1.5% are achievable (Holmes, Wright, and 
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Maxwell, 1991). User acceptance of this 
unit has been low, due to the unfounded 
fear of damage to the eye by the LED. 

Another technology uses the iris to 
accomplish identification. The iris is the 
colored portion of the eye that limits the 
amount of light allowed into the eye. This 
system uses a video camera to image the 
iris structure of the eye (see Figure 10.9). 
The unique structure of an iris can 
be used to identify an individual. This 
system operates in the recognition mode, 
so entry of a PIN is not required. A dis- 
tinct advantage for this system is that the 
camera images the iris at a distance of 
about 10.12 inches, so no physical contact 
between the face and the scanner is 
required. In addition, the eye is externally 
illuminated with visible light so there is 



no LED shining in through the lens. Con- 
sequently, user acceptance is better than 
for the retinal scanner. 

Data from a laboratory test of a pro- 
totype iris scanner indicated some diffi- 
culty with glare off glasses. This caused 
some Type I (false reject) errors. No Type 
II (false accept) errors were observed in 
the laboratory test (Bouchier, Ahrens, 
and Wells, 1996). Later devices incorpo- 
rated glare detection and compensation 
features to counteract problems. Trans- 
action times range from 4 or 5 seconds (by 
practiced users) up to 15 seconds (for 
those new to the system). Approximately 
2% of the population cannot be enrolled 
due to blindness or other iris damage, 
people whose eyes are extremely dilated 
(no iris to work with) or very dark irises, 




Figure 10.9 Iris Scan Device. The user aligns the eye with the camera in the center, then 
waits for a scan to be completed and to be granted access 
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so they require another method of 
granting secure access. Both retinal scan 
and iris scan devices offer high levels of 
security protection in an entry control 
subsystem. 

Voice 

Voice is a useful attribute for identity ver- 
ification and is appropriate for automatic 
data processing. Speech measurements 
useful for speaker discrimination include 
waveform envelope, voice pitch period, 
relative amplitude spectrum, and reso- 
nant frequencies of the vocal tract. The 
system may ask the user to speak a spe- 
cific predetermined word or to repeat a 
series of words or numbers selected by the 
system in order to verify access. 

While this technology currently offers 
low security, it is an attractive alternative 
due to its ease of deployment and accep- 
tance by the public. Voice recognition 
systems need only be installed on one end 
of a telephone system, and perhaps cen- 
trally located, reducing the number of 
units required. In addition, most people 
have experience with using telephones, so 
training is minimal, and distrust of the 
technology is low. As a result, several 
units are currently being marketed for 
security applications, and further devel- 
opment is active. 

Voice systems also have some associ- 
ated procedural issues. A person's voice 
can change due to sickness or stress, so a 
procedure or backup method of access 
must be provided to accommodate these 
instances. 

Face 

Facial verification systems use distin- 
guishing characteristics of the face to 
verify a person's identity. Most systems 
capture the image of the face using a video 
camera, although one system captures a 
thermal image using an infrared imager. 
Distinguishing features are extracted from 
the image and compared with previously 
stored features. If the two match within a 
specified tolerance, positive identity veri- 
fication results. 



Although facial systems have been pro- 
posed and studied for a number of years, 
commercial systems have only been avail- 
able recently. Developers have had to 
contend with two difficult problems: (1) 
wide variations in the presentation of the 
face (head tilt and rotation, presence or 
absence of glasses, facial hair changes, 
facial expression changes, etc.); and (2) 
lighting variations (day versus night, 
location A versus location B, etc.). Perfor- 
mance of currently available face systems 
has not yet approached that of more 
mature biometric technologies, but 
face technology does have the appeal of 
noncontact, and the potential to provide 
face-in-the-crowd identifications, for iden- 
tifying known or wanted criminals. This 
latter application could be useful in 
casinos, shopping malls, or other places 
where large crowds can gather. 

Other Techniques 

Keystroke technology (typing patterns) 
has been developed and marketed for 
secure computer log-on. Other verifier 
techniques based on such things as ear 
shape, gait (walking patterns), fingernail 
bed, and body odor have been studied, but 
little development has been attempted. 

Because each biometric technology has 
some limits in terms of inability to enroll 
certain people, procedures dealing with 
this event must be developed. Examples 
include cataract interference with retinal 
scanners, very dry or heavily damaged 
skin (scars, etc.) can cause problems with 
fingerprint devices, some signature and 
some speech systems have problems han- 
dling certain people because their results 
are not repeatable. In addition, authorized 
users may occasionally suffer injuries 
such as broken fingers or hands, eye 
injuries or surgery, or other medical con- 
ditions, which may temporarily affect 
their ability to use a biometric device. 
Additional technology or guard inter- 
vention may be required to address this 
problem. For additional information, Jain, 
Bolle, and Pankanti (1999) have written a 
thorough review of biometric techniques 
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and their application. Others (Rejman- 
Greene, 1998) have discussed biometric 
devices and security considerations. 

Personnel Entry Control Bypass 

When coded credentials or biometric 
technologies are used to allow personnel 
access into rooms, the use of keyed locks 
as a bypass route should be considered. 
This bypass will be useful in case of a 
component or power failure. The possible 
vulnerability introduced by this alternate 
access path can be countered through the 
use of a BMS or other door sensor. In the 
event that the door is opened, an alarm 
will be recorded and can be investigated. 
This will happen whether a key is used or 
if the lock is picked or broken. For areas 
or rooms where multiple entry doors 
exist, only one door need be equipped 
with a keyed lock. 

Contraband Detection 

Contraband consists of items such as 
unauthorized weapons, explosives, and 
tools. Because they can be used to steal or 
gain access to or damage vital equipment, 
weapons and explosives are considered 
contraband. Where these items are a part 
of the threat definition, all personnel, 
materials, and vehicles should be ex- 
amined for contraband before entry is 
allowed. Vehicles are difficult to search. 
If possible, it is advantageous to allow 
only required vehicles into the secured 
area. Large or high-security sites may not 
allow vehicles to leave the secured area 
routinely. Methods of contraband detec- 
tion include metal detectors, package 
searches, and explosive detectors. 

Metal Detectors 

One system employed for the detection of 
metal is a magnetometer. The magne- 
tometer is a passive device that monitors 



the earth's magnetic field and detects 
changes to that field caused by the pres- 
ence of ferromagnetic materials. This 
method detects only ferromagnetic mate- 
rials (those that are attracted by a magnet). 
Materials such as copper, aluminum, and 
zinc are not detected. While most firearms 
are made of steel, some are not and there- 
fore will not be detected by a magne- 
tometer. Although magnetometers have 
not been used for contraband screening 
for many years, research and development 
of a modern magnetometer has been con- 
ducted in recent years. Although the term 
magnetometer is often used to refer to 
metal detectors in general, this device 
differs greatly from modern active metal 
detectors. 

Most metal detectors currently in use to 
detect contraband carried by personnel 
actively generate a varying magnetic field 
over a short period of time. These devices 
either detect the changes made to the field 
due to the introduction of metal to the 
field, or detect the presence of eddy cur- 
rents that exist in a metallic object caused 
by a pulsed field. The magnitude of the 
metal detector's response to metallic 
objects is determined by several factors 
including the conductivity of the metal, 
the magnetic properties of the metal (rel- 
ative permeability), object shape and size, 
and the orientation of the object within 
the magnetic field. 

At present two methods are commonly 
used to actively detect metal: continuous 
wave and pulsed field. Continuous-wave 
detectors generate a steady-state magnetic 
field within the frequency band of 100 Hz 
to 25 kHz. Pulsed-field detectors gener- 
ate fixed frequency pulses in the 400 to 
500 pulse-per-second range. Due to the 
complex shape of the waveforms em- 
ployed, the pulsed fields may have fre- 
quency components from zero to several 
tens of kHz. 

A typical coil configuration for contin- 
uous wave metal detection is illustrated 
in Figure 10.10A. A steady-state sinu- 
soidal signal is applied to the transmitter 
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Figure 10.10 Metal Detector Technologies. A represents a continuous wave device and 
B a pulsed wave device 



coil located at one side of the detector 
arch. This coil produces a magnetic field 
of low strength. The receiver coils are 
mounted on the opposite side of the arch 
such that a person being screened passes 
between the transmitter and the receiver 
coils. The signal is detected by the 
receiver coils and is then routed to a bal- 
anced differential amplifier, which am- 
plifies only the difference between two 
signals. When there is no metal present 
within the arch, there is no difference in 
the signals at the inputs to the differential 
amplifier; therefore, there is no output 
signal from the amplifier. When a metal- 
lic object enters the arch, the changes it 
makes to the magnetic field disturb the 
balance of the receiver coils. The unbal- 
anced field produces a difference at the 
differential amplifier resulting in an 
output signal. This signal is then further 
amplified and phase-checked. If the signal 
exceeds a selected threshold, an alarm is 
generated. The phase detection permits 
some optimization of detection for either 
ferromagnetic (high relative permeability) 
or nonferromagnetic (low relative perme- 
ability) metals. 

A typical coil configuration for a 
pulsed-field metal detector is shown in 
Figure 10.10B. The coil arrangement is 
similar to that of the continuous-wave 
metal detector. The greatest difference to 



the coil configuration is that the balanced 
receiver coils are not required for pulsed- 
field operation. The multiple transmitter 
coils produce magnetic field flux patterns 
that lessen the effects of object orientation 
on detector response. The low inductance 
transmitter coils are driven with a series 
of pulses that produce short bursts of mag- 
netic field (as short as 50 microseconds), 
200 to 400 times per second. During the 
time that the magnetic field is present, the 
receiver amplifiers are switched off. Fol- 
lowing the end of the transmitted pulse, 
the receiver amplifiers are switched on for 
a period of time, typically a few tens of 
milliseconds. When there is no metal 
present in the arch, the output of the 
receiver amplifiers is the low background 
electromagnetic noise. When there is a 
metallic object present in the arch, the 
collapse of the magnetic pulse induces an 
eddy current in the metal. This eddy 
current decreases rapidly as a function of 
the resistivity of the metal but persists 
long enough to be present when the 
receiver amplifiers are switched on. The 
signal is then further amplified and phase- 
detected. If the signal exceeds a selected 
threshold, an alarm is generated. The 
phase detection again allows for opti- 
mization for detection of ferromag- 
netic metals or nonferromagnetic metals. 
Modern digital technology allows for 
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more analysis of the signal, resulting in 
better discrimination between different 
types of metals and real targets and the 
harmless metallic objects carried by 
people being screened. 

When a portal metal detector is used to 
detect very small quantities of metal such 
as gold, detection may be very difficult. In 
the case of a continuous-wave detector, 
the use of a higher-than-usual frequency 
will enhance detection; in all cases 
very-high-sensitivity operation will be 
required. Because high-sensitivity opera- 
tion will sharply increase the nuisance 
alarm rate, an area for personnel to change 
out of steel-toed shoes and to remove 
other metallic items from their body may 
be required. Handheld metal detectors 
can detect even very small quantities of 
metals and may be better suited to the task 
of screening very small items. The disad- 
vantage of handheld metal detectors is the 
requirement for active guard participation 
in the screening process and the time 
required for the search. Handheld metal 
detectors can also be considered intrusive 
due to the proximity of the metal detector 
to the person being screened. This can be 
especially intrusive when the screener 
and the person being screened are of 
opposite sex. Many sites, notably airports, 
provide same-sex operators to address 
this unease. 

Because the magnetic field is not con- 
fined to the area between the coils and 
metal detectors are sensitive to metal 
moving outside the physical boundaries 
of the detector, care must be exercised in 
determining detector placement. Any 
movable metallic objects either in front or 
to the side of the detector, such as doors, 
forklifts, and carts, can cause nuisance 
alarms. Electromagnetic transients, such 
as radio transmitters, power-line fluctua- 
tions, and flickering fluorescent lighting, 
can cause false alarms. 

Metal detectors are designed to be tol- 
erant of some nonmoving metal in their 
immediate area. Reinforcing steel in con- 
crete floors and walls and other metallic 



building materials can be tolerated to 
some degree; however, installing a metal 
detector against a steel support beam is 
not recommended. Large quantities of 
metal can cause severe distortions in the 
magnetic field. In some cases the metal 
detector will not operate and may gener- 
ate an error alarm; in other cases the 
detector may continue to operate but have 
areas of extremely low or high sensitivity. 
These distortions may lead to missed 
targets or unusually high nuisance alarms 
due to innocuous items. Metallic items, 
such as safety equipment, metal trash 
cans, chairs, and other items, may not 
completely interfere with a metal detector 
if placed close to the detector but can 
cause distortions to the detection field. 
For this reason, some installations insti- 
tute a no-move rule for these metallic 
items within the vicinity of the detector 
following installation testing. 



Package Search 

Packages may be searched for contraband 
manually or by active interrogation. 
Active interrogation methods used to 
detect various objects considered contra- 
band include single-energy transmission 
X-ray, multiple-energy X-ray, computer 
tomography (CT) scan, and backscatter X- 
ray. In general, these methods are not safe 
for use on personnel; however, a new X- 
ray technology for screening personnel 
will be discussed in the section titled 
"Bulk Explosives Detection" later in this 
chapter. In general, simple single-energy- 
transmission X-ray imagers are used to 
find metallic items and the other tech- 
niques are designed to image low-Z 
materials. Examples of low-Z contraband 
materials are drugs, explosives, and some 
foodstuffs. Low-Z materials are materials 
that are composed of elements that have a 
low atomic number. Low-Z elements 
include hydrogen, oxygen, carbon, and all 
the elements up to aluminum, with Z 
number 26. 
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A conventional single-energy-transmis- 
sion X-ray package search system will not 
penetrate the heavy materials sometimes 
used for shipping containers. High-energy 
X-rays or multiple-energy X-rays can be 
used to assess the contents of the package 
being examined. Because most of the 
development of low-Z screening devices 
is directed toward the detection of explo- 
sives, these technologies are discussed in 
detail in the section entitled "Bulk Explo- 
sives Detection" below. Although discus- 
sion of these devices will be focussed on 
explosive detection, most of these tech- 
nologies can be adjusted to search for 
drugs as well. 

Explosives Detectors 

Vapor Detectors Methods commonly 
used for inspecting cargo and luggage for 
explosives, for example, X-ray imaging 
or neutron activation, are unacceptable 
for screening personnel because these 
methods are physically harmful to 
humans. Passive detection techniques can 
be used to safely search personnel for 
explosives by detecting the trace amounts 
of vapor that are emitted from bulk 
quantities of concealed explosives. The 
challenge involved in detecting trace 
explosives vapors is evident after consid- 
eration of the low vapor-phase concentra- 
tions of several common high explosives. 
Concentrations in the parts-per-billion or 
parts-per-trillion range are typical, with 
further reductions in vapor pressures 
encountered when the explosive con- 
stituent is packaged in an oil-based gel or 
solvent (for example, RDX in C-4 plastic 
explosive). Explosive molecules readily 
stick to many common materials at room 
temperature, and decompose upon mod- 
erate heating or upon exposure to large 
doses of energy. Hence, transport and col- 
lection of vapor-phase explosive mole- 
cules is achieved only at the expense of 
significant sample loss. 

Several approaches have been devel- 
oped for the vapor-phase detection of 



explosives. These passive methods of 
detection include animal olfaction (dogs) 
and vapor detection instruments. Exam- 
ples of vapor detection instruments are 
electron capture detection (ECD), chemi- 
luminescence, ion mobility spectrometry 
(IMS), and mass spectroscopy. 

Canine olfaction is used widely in law 
enforcement and the military for locating 
hidden explosives. However, canines 
require constant retraining to continue to 
identify synthetic compounds such as 
explosives. Moreover, the reliability of 
canine inspection is subject to the health 
and disposition of the dog and the vigi- 
lance and skill of the handler. As a result, 
the use of canines is very expensive. 
For these reasons, commercial explosive 
detectors are gaining greater acceptance 
as the preferred method for screening 
personnel for explosives. 

Electron capture detectors, or ECDs, 
take advantage of the high electron affin- 
ity of nitro compounds to identify trace 
explosives in a vapor sample. An air 
sample is drawn into the ECD detection 
chamber that is plated with a beta par- 
ticle source such as Ni-63 that emits low 
energy electrons (beta radiation). A 
pulsed positive voltage is applied to the 
anode, resulting in a measurable standing 
current, I . As this positive voltage is 
switched on and off, the anode current 
oscillates between zero and I . In the pres- 
ence of electrophilic (electron-capturing) 
materials, such as explosive molecules, 
this thermal electron population is 
decreased. When the anode voltage 
is pulsed, the resulting anode current is 
reduced from the standing current value 
Io by an amount proportional to the con- 
centration of high explosives in the detec- 
tor. This results in a new current I, which 
is less than I . Thus, a drop in anode 
current indicates the presence of elec- 
trophilic molecules and signals an alarm. 
Electron capture technology itself is not 
specific; that is, it cannot determine the 
specific explosive detected. By coupling 
the ECD with another technology such as 
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a gas chromatograph (GC), identification 
of the type of explosive can be made. 

Chemiluminescence detectors use pho- 
tochemical means to yield detection. The 
vapor sample is collected and separated 
into its components using a gas chro- 
matograph. The sample is then heated so 
that any nitrogen compounds that are 
present will decompose to form nitrogen 
oxide (NO). Reaction of NO with ozone 
forms an excited state of nitrogen dioxide 
(N0 2 ), which emits a photon that can be 
detected using a phototube. The coupling 
of the photoemission and the chromato- 
graph permits identification of any 
nitro-based explosive compounds that are 
present. 

Chemiluminescence detectors have ex- 
cellent sensitivity to common high explo- 
sives, including compounds with very 
low vapor pressures such as RDX and 
PETN. However, the chemiluminescence 
instruments are also the most expensive 
of the commercial detectors, have the 
longest analysis time, and typically 
require more maintenance than the ECD 
units. Because other sources of nitrogen 
oxide, such as automotive exhaust, may 
provide potential interferents, chemilu- 
minescent detection is paired with fast 
gas chromatograph separation to distin- 
guish explosives from other nitrogen- 
containing compounds. 

In an ion mobility spectrometer, or IMS, 
the analyte molecules in an air sample are 
negatively ionized using a beta source (as 
in the case of ECDs) and then passed into 
a drift cell through a shutter, which opens 
periodically over a period of millisec- 
onds. Within the drift region, the ionized 
species move down an electric field gra- 
dient against a counter-flow of an inert 
gas. The molecules separate by weight, 
with the lightweight species and their 
smaller cross-sections progressing more 
quickly upstream than the massive 
species. At the end of the drift region the 
ions strike a Faraday plate that records the 
output voltage as a function of molecule 
drift time. A typical IMS drift cell is 6 to 



8 cm in length with an electric field 
gradient of 200V/cm. Under these con- 
ditions, the drift times of the explosives 
molecules range from 5 to 20 millisec- 
onds. Coupling with a gas chromatograph 
is not necessary for identification of the 
analyte since the time-of-flight separation 
achieved in the drift region provides 
specificity. 

IMS-based detectors provide high sen- 
sitivity to dynamite, military-grade TNT, 
and plastic explosives compounds, at 
instrument costs that are considerably 
lower than those of chemiluminescence 
detectors. Detection using IMS is highly 
specific; aside from some compounds 
used as fragrances in lotions and per- 
fumes, there are few potential interfer- 
ents. The sensitivity of the IMS-type 
detector and its relative ease of operation 
and maintenance account for the rapid 
development and commercialization of 
IMS technology for explosive detection 
applications. 

One type of mass spectroscopy is based 
on the principle that charged particles 
traveling through a magnetic field will 
follow a circular path. The radius of the 
path is determined by the mass of the par- 
ticle. Because explosive molecules are 
easy to negatively charge and the mass of 
each type of explosive is different, this 
technique allows separation and identifi- 
cation of the explosive materials. Other 
mass spectroscopy techniques include 
time-of-flight and quadrapole mass spec- 
troscopy. 

From laboratory evaluations of com- 
mercial detectors that are currently on 
the market, it can be stated that the ECD 
instruments are the simplest to operate, 
the least expensive, and the least sensitive 
of the commercial detectors (Hannum and 
Parmeter, 1998). ECDs can detect TNT and 
nitrated dynamite consistently, but they 
are not reliable for sensing plastic-type 
explosives. There are some common non- 
explosive substances that give rise to 
potential nuisance alarm signals in ECDs, 
including chlorofluorocarbons, fertilizers, 
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and some household cleaners. Coated 
chromatographic columns or membranes 
are coupled with ECDs to discriminate 
between true explosives and interferents. 

Most commercial explosives detectors 
achieve greatest sensitivity when used in 
the surface sampling mode, in which a 
surface suspected of explosives contam- 
ination is swiped with a collector pad 
made of cloth, sharkskin, or similar mate- 
rial. The collector pad is then placed in a 
heating unit, which desorbs the particles 
of explosives that have been gathered and 
transports them to the detector for analy- 
sis. But due to time constraints, this mode 
of sampling is impractical for screening 
individuals passing through sensitive 
high-traffic checkpoints, such as airport 
boarding areas, for explosive contraband. 
The development and commercialization 
of a walk-through portal explosives detec- 
tor, for screening high throughput areas 
for concealed explosives contraband, is 
therefore a high research and develop- 
ment priority. 

Commercial explosives vapor detectors 
must be carefully selected to meet the 
needs of each facility. The sensitivity, 
nuisance alarm resistance, response time, 
and operating and maintenance costs are 
all factors to consider when selecting a 
detector. 

Bulk Explosives Detection Bulk explo- 
sives detection devices measure some 
bulk characteristic of materials in an 
attempt to detect the possible presence of 
explosives. Some of the bulk characteris- 
tics that may be measured are the X-ray 
absorption coefficient, the X-ray backscat- 
ter coefficient, the dielectric constant, the 
gamma or neutron interaction, and the 
microwave or infrared emissions. Further 
analysis of these parameters can result 
in calculated mass, density, nitrogen 
content, and effective atomic number 
(effective Z). While none of these charac- 
teristics are unique to explosives, they 
are sufficiently unique to indicate a high 
probability of the presence of explosives. 



Fortunately, many materials that share 
similar bulk characteristics with explo- 
sives are not overly common to everyday 
items. The nuisance alarm rate for bulk 
detection devices can be low enough to 
allow for automatic detection of materials 
that may be explosives. 

Nuclear technologies interrogate a 
package using gamma rays or neutrons. 
These devices determine the nitrogen 
content of a material. Because many 
explosives are nitrogen rich, these devices 
can automatically detect their presence. 
Currently the only two commercially 
available nuclear technology detectors are 
the thermal neutron activation (TNA) 
detector and the pulsed fast neutron 
absorption (PFNA). The major drawbacks 
of these devices are the cost (from about 
$600,000 to several million), size, and 
throughput. Some package search systems 
are based on TNA, and some systems for 
search of vehicles and large shipping 
containers are based on PFNA. 

In most cases, X-ray technology bulk 
detectors are modified package search 
X-ray scanners. These technologies are 
beginning to provide lower-cost alter- 
natives to nuclear technologies. These 
devices usually serve a dual purpose. The 
package being searched for guns or other 
contraband is simultaneously analyzed 
for the presence of explosives. Simple 
single-energy-transmission X-ray scan- 
ners do not provide enough information 
to make the explosives search, so a 
method to extract more information is 
needed. Dual-energy and dual-axis tech- 
nologies allow the determination of a 
material's approximate mass absorp- 
tion coefficient. CT scanners can extract 
enough information to calculate the mate- 
rial's mass and density, as well as its mass 
absorption coefficient. Backscatter tech- 
nology can determine a material's effec- 
tive Z by examining the amount of X-ray 
energy scattered back in the direction of 
the source. 

Fully automating an X-ray backscatter- 
ing system is not possible at the present 
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time. Certainly the entry and exit of per- 
sonnel, positioning of personnel to be 
scanned, and energizing and deenergizing 
the X-ray system can all be automated. 
However, the result of a scan is a com- 
puter-enhanced image on a display 
monitor showing the outline of the person 
and any concealed objects. Recognizing 
an object as being suspicious and request- 
ing further verification to determine if it 
is an explosive is the responsibility of the 
operator or security officer. Figure 10.11 
illustrates a typical computer-enhanced 
image obtained with various materials 
located on the subject. 

Quadrupole resonance (QR) technology 
is a promising new technology that was 
recently incorporated into a commercial 
device. This technology uses pulsed low- 




Figure 10.11 Computer-Enhanced Output 
of an X-ray Personnel Scanner. The 
subject appears to have something around 
the neck and what looks like a weapon 
in the belt 



energy radio waves to determine the 
presence of nitrogen-rich materials. A QR 
scanner is compact, relatively low cost 
(about $100,000), and does not subject 
the package to ionizing radiation. Until 
recently, personnel screening for explo- 
sives could be done only by an explosive 
vapor detection portal, a handheld explo- 
sive vapor detector, or hand searching. 
However, low-dose X-ray (also known as 
soft X-ray and low-energy X-ray) scanning 
now is available, which can detect con- 
traband concealed on personnel, such as 
weapons, explosives, and drugs, includ- 
ing gel-type explosives. 

In any screening device to be used 
on people, safety is of prime importance. 
The radiation dose received while being 
scanned needs to be so low that it is vir- 
tually indistinguishable from background. 
Present scanners can scan only one side at 
a time. A person entering a scanner booth 
would have to be scanned two times, front 
and back, to ensure that no explosives are 
secreted on the person. For general use, 
the low-dose X-ray system should: 

1. Be capable of processing approxi- 
mately 10 people per minute, 

2. Have the demonstrated capability to 
discern the presence of an explo- 
sives mass of 150 g or more on a 
person, and 

3. Demonstrate a radiation output of 
sufficiently low magnitude that per- 
sonnel will receive a radiation dose 
less than the permissible 100 mil- 
lirem/year, which is required under 
NRC regulations in 10 CFR Part 20, 
Section 20.103 (a) (1). Ideally, the 
radiation dose should be <10 mi- 
crorem per scan. 

Other technologies under development 
involve the use of microwave energy to 
determine the dielectric constant of a 
material, millimeter wave devices that 
image objects under clothing, and passive 
devices that detect microwave or infrared 
energy emitted from materials. 
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It is important to note that the devices 
described in this section are not explo- 
sives detectors but are detectors of 
materials that have explosive-like char- 
acteristics. All have strengths and weak- 
nesses. A successful system based on bulk 
detection techniques may consist of a 
combination of two or more of these 
technologies. If enough information is 
gathered on a suspect material through 
this combination, a real determination of 
the presence of explosives may be made. 

Locks 

Locks are important elements in the entry 
control system of a facility since they 
secure the moveable portions of barriers. 
However, locks should generally not be 
relied upon as the only means of physical 
protection for significant areas at a facil- 
ity. Because an individual with enough 
skill and time can compromise them, 
locks should be used in conjunction 
with complementary protection mea- 
sures, such as periodic guard checks and 
sensors. 

In all applications, the goal should be to 
make the lock delay time and capability 
closely match the penetration resistance of 
the rest of the secured barrier (balanced 
protection). It would be unwise to select a 
lock that is either significantly stronger or 
weaker than the rest of the barrier (the door 
and wall). This section presents informa- 
tion that will be helpful in selecting the 
appropriate match for an application. 
Chapter 11, "Access Delay," describes 
delay concepts more thoroughly. 

A detailed discussion of locks and 
locking systems is beyond the scope of 
this chapter, but some high-level informa- 
tion will be presented that will allow the 
novice to understand the major issues and 
recognize the essential considerations in 
selecting and applying locks. There are 
two specific areas that must be consid- 
ered — defeat resistance and application 
considerations. 



The most common applications of 
locking devices are padlock, door lock, 
switch lock, cabinet lock, and cam lock. 
The following description applies to pad- 
locks, door, and cabinet locks. 



Major Lock Components 

The two major components in most locks 
are the fastening device and the coded 
mechanism. The fastening device is most 
often referred to as the latch or bolt assem- 
bly. The coded mechanism is the key 
cylinder in a key lock or a wheel pack in 
a mechanical combination lock. 

Fastening Device 

The fastening device is composed of a 
latch or bolt assembly located within the 
lock case, and a strike for door locks or a 
shackle for padlocks. The latch or bolt 
extends into the strike or shackle securing 
the lock when projected into the locked 
position. 

The difference between a bolt and a 
latch is that a latch will automatically 
retract as the door is closed, whereas a 
bolt stays in the same position unless it is 
intentionally moved. A mechanical bolt 
is a uniformly thick, moveable device 
intended to block motion perpendicular 
to its direction of travel. A bolt is con- 
strained in its extended position by inter- 
ference with a solid obstacle. Latches are 
beveled and spring loaded so that they 
will automatically retract. Latches are 
more convenient, but more vulnerable, 
than bolts. The latch or bolt assembly 
types are latchbolt, deadlatch, or deadbolt 
(intermittent or positive). A description of 
each type follows: 

• Latchbolt — A beveled latch that is 
projected by spring action and re- 
tracted by end pressure, knob (lever), 
or code mechanism. 

• Deadlatch — A latch and pin that 
is projected by spring action and 
retracted by knob (lever) or code 
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Figure 10.12 Intermittent Deadbolt 
Assembly. As the key turns in the lock, 
the cam slides the bolt open or closed. 
The key rotates one time in the coded 
mechanism 



Figure 10.13 Positive Deadbolt Assem- 
bly. In this case, the key must be turned 
multiple times to allow the cam to fully 
open or close the bolt 



mechanism. A deadlatch has a pin 
that is depressed as the door is shut, 
placing an obstacle in the path of 
the spring latch, which restricts its 
movement. 

• Intermittent Deadbolt — A bolt that is 
not permanently coupled to a code 
mechanism and that is projected or 
retracted by the knob or code mech- 
anism. Intermittently coupled key 
locks can often be defeated by bolt 
manipulation without operation of 
the key mechanism (Figure 10.12). 

• Positive Deadbolt — A bolt perma- 
nently coupled to a code mechanism 
and projected and retracted only by 
the code mechanism. When a posi- 
tively coupled deadbolt is fully 
extended, it cannot be unlocked by 
exerting end pressure. Figure 10.13 
illustrates the operation of this 
device. 

Strike 

Typically, bolts and latches are mounted 
on the door. The door is locked when it is 
closed and the bolt or latch projects into 
a recess in the strike located in the door- 
jamb. A strike is used to strengthen the 
recess into which a bolt or latch projects. 
Strikes may be active or passive. The 
only function of a passive strike is to 
strengthen the recess. Some locking 



devices are designed to function either 
mechanically or electrically, for example, 
a mechanical lock mounted on the door 
combined with an active strike on the 
doorjamb, or a passive strike mounted on 
the doorjamb combined with an electric 
bolt lock mounted on the door. 

An active strike allows the door to be 
opened when pressure is exerted on the 
door. The operation of electric bolts and 
latches is controlled by the application of 
power to either a solenoid or an electric 
motor. A solenoid becomes an electro- 
magnet when power is applied. The sole- 
noid then exerts a magnetic force on the 
appropriate mechanism, which removes a 
barrier allowing the user to retract the bolt 
or latch. An electric motor can be used to 
perform the same function as the sole- 
noid. While this is more secure, it is also 
more expensive. An active strike can be 
either fail-safe or fail-secure. The differ- 
ence is that the fail-safe device unlocks 
when power is removed, and the fail- 
secure device locks when power is 
removed. 

Hasps and Shackles 

A hasp is a metal fastener with a 
minimum of two sections. The two sec- 
tions are attached either to a moveable 
and a fixed barrier, or to two moveable 
barriers. When the barrier is closed, the 
two sections of the hasp are positioned 
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together in such a manner that the shackle 
of a padlock can be inserted through both 
to fasten the two sections together. Only a 
few varieties of hasps are commercially 
available. Most are not comparable in 
quality (in terms of resistance to forcible 
attack) to the high-security padlocks that 
might be used in conjunction with them. 
Since the lock and hasp work together to 
provide security, the proper hasp selec- 
tion and its installation are critical to 
providing the required protection. Hasp 
designs usually vary considerably due to 
different mounting requirements. Hasps 
can be either mounted with nonremov- 
able bolts or welded directly to the door 
or frame. A shackle is typically a U- 
shaped steel bar used to couple a door to 
the doorjamb by means of a hasp. Often 
padlock bodies and shackles are hard- 
ened, with shackle exposure ranging from 
exposed to totally concealed. 

Coded Mechanism 

The coded mechanism is located in the 
lock body and, when decoded, moves or 
permits movement of the latch or bolt to 
the retracted (unlocked) position. There 
are two major types of coded mechanisms, 
keyless and key. 

Keyless Coded Mechanisms A keyless 
lock is a device that is operated by the 
use of a code to gain access. These locks 
include: 

• Mechanical combination 

• Electromechanical combination 

• Mechanical entry control lock 

• Electromagnetic keyless control 

A mechanical combination lock is a 
lock with a number or letter dial rotated 
to certain positions in a particular order 
during a given number of turns in the 
prescribed direction, after which the bolt 
can be withdrawn. Combination locks are 
incorporated into padlocks and door 
locks. They range from simple locker- 
room variety padlocks to highly devel- 



oped security vault door locks; however, 
the basic principle of operation is the 
same for all combination locks. 

The dial is usually divided into sections 
marked with numbers. An index mark is 
located on the door lock's dial ring or, in 
the case of a padlock, on the padlock 
body. In the door lock, the dial and dial 
ring are usually the only visible portions 
of the lock. When the dial is rotated, its 
motion is transmitted to code wheels 
located within the lock case. Correct posi- 
tioning of the wheels allows the bolt to be 
retracted. 

Electromechanical combination locks 
are very similar in operation to mechani- 
cal ones; however, they rely on electron- 
ics rather than mechanical parts to accept 
the combination. One such lock has a 
liquid crystal display (LCD) display that 
shows the numbers selected by turning 
the dial. 

Mechanical entry control locks allow 
local entry through a door based on enter- 
ing a sequence of numbers by pushing 
appropriately numbered buttons. This 
type of lock system allows controlled 
entry into rooms or buildings without a 
central computer-controlled system. 

Electromagnetic locks rely on the 
strength of powerful electromagnets to 
secure a door. A steel strike plate is 
typically mounted on the door with the 
magnet mounted on the doorjamb. 
Holding strength in this type of lock is 
from 600 to 1,200 pounds. Simple elec- 
tromagnetic locks are inherently fail-safe 
because the magnet does not work when 
power is removed. Fail-secure electro- 
magnetic locks employ a solenoid acti- 
vated bolt that works in conjunction with 
the magnetic portion of the lock. 

An alternative design is the shear-type 
electromagnet lock. This lock mounts into 
recesses in the door and door jamb, thus 
hiding it from view. The part mounted in 
the door recess will typically have 
movable steel bolts, or strike plates, that 
are attracted to the electromagnet in the 
doorjamb when the door is closed and the 
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current is applied. The strength of 
commercial electromagnetic shear locks 
ranges from approximately 2,000 to 2,700 
pounds. 

Key Coded Mechanisms Key locks are 
locks that operate through the use of a 
mechanical key. If the correct key is used, 
the key and key mechanism retract the 
bolt or latching and allow access. Most 
key locks fall into five general classes: 
warded locks, wafer locks, pin-tumbler 
locks, disk locks, and lever locks. In addi- 
tion, key locks also include some unique 
options and variations of these general 
classes of locks. 

Warded locks incorporate fixed wards 
or obstacles (external and/or internal 
wards) in the lock structure that a key has 
to clear in order to rotate and operate the 
bolt or latching mechanism. The key for a 
warded lock has ward cuts placed at des- 
ignated locations to allow key rotation. 
Warded locks were once popular as door 
locks and may still be found in some older 
hotels and residences. The warded door 
lock is easily picked. In addition, warded 
skeleton keys (passkeys) are easy to fabri- 
cate and are readily available through 
commercial sources. Since the warded 
lock cannot be keyed with a master key, it 
has limited usefulness and versatility. If a 
warded lock is compromised, it should be 
removed from service since it cannot 
be re-coded for a different key. 

Large lever locks are commonly used in 
prison security applications. These larger 
locks are resistant to picking, primarily 
due to their massiveness and the strength 
of the springs on the levers. A further 
refinement incorporated into some lever 
locks requires that the key be turned 
several times in order for the bolt to be 
completely retracted. In this case, a lock 
would have to be picked once for each 
required key rotation. 

Disks are flat rotating plates that a key 
must align. Rotating disk locks are highly 
pick-resistant locks that operate using a 



specially cut cylindrical key that rotates 
individual disks in the cylinder to differ- 
ent turn angles. When the key is inserted 
and rotated, the disk notches align, allow- 
ing a locking bar to drop into position. 
This action frees the otherwise con- 
strained plug containing the disks and 
allows the plug to rotate. 

Pin-tumbler locks, patented by Linus 
Yale in the 1800s, offer more security than 
warded or wafer locks. However, in their 
standard form, pin-tumbler locks are also 
vulnerable to picking and impressioning. 
The standard pin-tumbler lock consists of 
a cylinder case that contains a cylinder 
plug or core. The lock case houses several 
small, spring-loaded pins placed in line 
and extending into the keyway. The top 
(or driver) pins are forced down by the 
springs into the plug to prohibit plug rota- 
tion. The cone-shaped end of each bottom 
(or key) pin rests against the inserted key; 
if the key is properly cut, it raises the 
break between the top and bottom pins so 
that each break is even with the outer 
surface of the cylinder plug (shear line). 
When the pins are thus aligned, the cylin- 
der plug can be rotated. 

Pin-tumbler locks are usually manufac- 
tured to high-tolerance specifications and 
offer a number of different possible key 
codes. They can easily be master-keyed 
for tens of thousands of possible com- 
binations. Very complex master-keying 
systems can be developed using pin- 
tumbler locks. The pin-tumbler lock is 
widely used in padlocks and door locks, 
as well as for special applications, such as 
keyed electronic switches. 



Installation Considerations 

Generally, the farther the lock is from the 
face of the door, the more protected is its 
position. This protection can also be pro- 
vided by the use of a guard plate that 
covers as much of the cylinder as possible 
while still permitting the key to be turned. 
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Hardened guard rings should be recessed 
and have sufficient taper and rotation to 
withstand forcible defeat. 

Special security screws should be used 
to mount security hardware located 
outside the secured area and, depending 
on application, sometimes those mounted 
inside the secured area. The two basic 
varieties of security screws are those that 
cannot be moved once installed, and 
those that may be removed only with 
a special tool once installed. Adver- 
saries are likely to have access to the 
special tool. 

If screws are used where they are acces- 
sible by an adversary, they should be 
installed with their heads welded to the 
device they are securing. Screws used for 
mounting security devices should be 
hardened. If the hardware is mounted on 
wood, a higher level of security may be 
achieved by using screws long enough to 
embed themselves in the underlying 
structure. 

The possible vulnerability associated 
with keyed locks can be balanced by the 
use of a BMS or other door sensor. Then 
if the door is opened using a key or 
by picking the lock, an alarm will be 
recorded and the unauthorized entry 
detected. This simple measure will work 
against insider or outsider threats and 
can be very cost-effective, particularly if 
sensors already monitor interior doors to 
critical areas. 

In summary, the use of locks should 
apply the same principles as the other 
elements already discussed in this text — 
balance among the subsystem elements, 
and proper selection of the appropriate 
technology for the specific threat under 
consideration. In addition, key control for 
keyed lock systems requires strict adher- 
ence to procedures. For non-keyed locks, 
use of keyed locks as bypasses should be 
considered to allow a backup method of 
entry in case of equipment failure or 
power loss. Once again, keys should be 
strictly controlled. 



System Integration and 
Installation Issues 



There are a variety of issues that must 
be considered when installing the entry 
control components of a protection 
system. At the highest level it must be 
determined if the entry control function- 
ality and the AC&D functionality are to be 
implemented on the same host computer 
or separately, that is, in fully integrated or 
parallel systems. Questions that must be 
considered include: Will the entries and 
exits from a security area be under CCTV 
surveillance? Are there any requirements 
for local masking of sensors? Will there be 
any electronic connection between the 
AC&D/entry control subsystems and the 
contraband detection equipment? These 
issues and many others must be addressed 
at the design stage of the protection 
system. 

There are many AC&D systems that 
incorporate entry control features. Fully 
integrated AC&D and entry control 
systems are attractive for a variety of 
reasons. Often there is a reduced cost for 
both hardware and software to the user 
when a fully integrated system is in- 
stalled rather than two separate systems. 
For example, the field panels that collect 
alarms also have card-reader interfaces 
and door-strike relays on the same board. 
Installation is simplified due to this inte- 
gration. It is important that the AC&D 
system be informed when the entry 
control system authorizes a person to 
open a door, because the door sensor 
alarm signal must be suppressed for some 
period of time to allow the person to 
proceed into the area without causing an 
alarm. Door sensor masking happens 
automatically in a fully integrated system, 
but this function must be implemented by 
some other means, usually with user- 
provided hardware, when installing 
independent systems. 

On the other hand, fully integrated 
systems may suffer performance degrada- 
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tion due to the integration. The reporting 
of alarms must take priority over han- 
dling entry control requests. Although this 
requirement seems obvious, laboratory 
testing reveals that in some systems alarms 
take several seconds to be received by the 
AC&D system because the system was busy 
processing entry control requests. Care 
must be taken when selecting a fully 
integrated system to ensure that system 
AC&D performance is not degraded by the 
entry control function. This is why system 
testing under normal, abnormal, and 
malevolent conditions should be per- 
formed to verify system performance. It is 
not sufficient to test a system under only 
normal operations; this level of perfor- 
mance may not represent the most critical 
operating state of the system. 

Entry and exit through doors, turnstiles, 
and gates area are not normally recorded 
by the CCTV system. However, when the 
security level is sufficiently high and the 
traffic level is low, CCTV and time-lapse 
video recording may be used. Recordings 
of the visual information, along with entry 
and exit logs, can be useful in determin- 
ing the sequence of events when security 
incidents occur. In addition to event- 
logging cameras, door and gate sensor 
alarms should be subject to the same 
video assessment requirements as other 
sensors in the area being protected. 

Often the use of contraband detection 
equipment at an entrance is in the local 
alarm mode of operation. Because of the 
high number of nuisance alarms expected 
from metal detectors due to pocket clutter, 
metal detectors are seldom operated un- 
attended. Security personnel are needed 
at the metal detector to oversee that 
procedures are followed, pocket clutter is 
searched, and alarms are resolved. Fre- 
quently the resolution of metal detector 
alarms involves manual search by pat 
down or by the use of a handheld metal 
detector. X-ray machines employed in 
package search require an operator to 
interpret the image that is generated. 
Automated image analysis of X-ray images 



for contraband is still years away. Despite 
the fact that security personnel are usually 
in attendance at contraband screening 
points, it is sometimes advantageous to 
monitor this equipment at the central 
alarm monitoring station. Metal detector 
alarms may be monitored and the image 
generated by X-ray machines duplicated at 
the alarm monitoring station for secondary 
screening by security operators. 

Another serious concern when design- 
ing an entry control system is the impact 
of fire codes. It is often desirable to main- 
tain secure control for exit as well as 
entrance to an area; this is frequently dif- 
ficult to implement without violating fire 
codes. A fire door normally must have a 
single-hand/single-motion exit device. 
Exit control hardware such as card readers 
and electric strikes can be installed but 
can be easily bypassed by any fire-rated 
exit hardware. Signs indicating that the 
fire-exit hardware is not used except for 
emergencies, but without stating con- 
sequences for violators, may encourage 
some users to bypass the exit controls. 
When fire doors do have controlled 
entrance and free exit, an additional 
means of local masking of the door alarm 
must be implemented. Masking the alarm 
for exits is usually accomplished through 
the use of a request for exit sensor. These 
infrared sensors detect persons approach- 
ing the door from inside the security area 
and alert the system that the door is about 
to be opened. This method is useful during 
normal operating hours at a facility. An 
additional method of addressing fire code 
requirements while maintaining secure 
control includes the use of delayed exit 
hardware, in which the door can be 
opened only after a short period of time. 
This allows for the use of CCTV to monitor 
activity at the exit or for the extension of 
the time delay while verifying the emer- 
gency condition. These systems have been 
useful at schools and other locations 
where false fire alarms have been initiated 
to disrupt normal activities. The method 
used is determined after careful examina- 
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tion of federal and local fire codes and 
security systems implications. In no 
case should lives be placed in jeopardy; 
however, in some facilities critical assets 
must remain protected even in emergency 
conditions. Some examples are semi- 
conductor fabrication plants, commercial 
nuclear reactors, and certain drug manu- 
facturing facilities. In these cases, exit 
from the facility may lead to an additional 
secure but safe area or include the use of 
procedures. 

Interfacing of biometric devices with 
the site's entry control system is another 
problem that arises during system design. 
Most biometric identifiers are imple- 
mented as the entire entry control system, 
rather than a component of a larger entry 
control system. Consequently, even when 
the biometric device has a data interface 
to a larger system, there is no industry 
standard for that interface. This some- 
times forces the designer to trick com- 
ponents into operating in unison when 
combining card readers and PIN pads 
with biometric devices. A simple appro- 
ach is to place the biometric device and 
the entry control system's unlock relays in 
series. A more elaborate integration is 
possible if the biometric devices have a 
card-read buffer or a shared data storage 
area. In this case, the biometric device 
captures the card-reader data stream. 
After the biometric verification is suc- 
cessfully completed, the device sends the 
buffered data to the entry control system. 
In this method the entry control system is 
not aware that the biometric device is con- 
nected. In a few cases the entry control 
system has a device-specific interface that 
allows biometric templates to be stored on 
the entry control system's host computer. 
This is an example of integration at the 
highest level. 

Procedures 

As with any protection technology ele- 
ments, entry control systems require a 



procedural component as well. These pro- 
cedures address issues such as presenting 
badges upon entry, wearing them in plain 
view while inside the facility, and how 
to protect the badge or other credentials 
when off-site. In addition, there should be 
a rule prohibiting the disclosure of any 
PIN numbers. The practice of tailgating, or 
allowing others behind to enter without 
completing the entry control process, 
should also be prohibited. Enforcement 
of this procedure is recommended. All 
employees should receive training on the 
proper use of company entry credentials 
and understand that this is a serious issue 
at the site. Encouraging employees to 
challenge those who try to tailgate or pro- 
viding telephones near entry points to 
report this practice should be considered. 
Although it is courteous to hold doors 
open for fellow employees or others, this 
custom can compromise security at a 
facility, particularly if an employee has 
been recently terminated or if a visitor has 
not received authorization to enter. Along 
with this, employees should not allow 
access to other employees who have 
forgotten or lost their badges. 

Other considerations when installing 
entry control equipment include deter- 
mining how many tries will be allowed 
before an access request is invalid, what 
to do if access is denied this way, and 
establishing a preventive maintenance 
schedule on equipment. Regular calibra- 
tion of metal detectors should be per- 
formed. When using metal detectors, it 
is recommended that the procedure for 
those detected with metal be to remove 
the metal and reenter the detector. A vari- 
ation of this procedure is to use handheld 
portable wands to scan those who have 
been detected. Once an object is found, it 
should be removed and the scan repeated. 
This process should be repeated until 
there are no further detections. It is impor- 
tant to repeat the scan after a metal object 
is found, because the detection of one 
piece of metal does not indicate that this 
is the only piece of metal. Allowing entry 
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after finding a metal object without an 
additional scan can create a vulnerability 
in the protection system. If explosives 
detectors are used at a site, careful 
thought will be required to determine 
what to do if a detection occurs. This 
response can be problematic, because 
there are a number of elements that may 
generate a nuisance alarm, or an adversary 
may have been legitimately detected. If 
cameras are used to verify identity before 
access, users should be instructed or 
trained to remove sunglasses, hats, or 
other image blocking items, and told 
where to stand and which direction to 
face. In addition, random searches of 
packages, briefcases, and purses can be 
implemented along with technology com- 
ponents. In this case, the company policy 
on prohibited items such as guns, other 
weapons, explosives, drugs, alcohol, 
recording devices, and cell phones should 
be included in employee training and as 
a part of visitor control. 

Administrative Procedures 

In addition to the procedures that com- 
plement use of entry control technology, a 
system of access controls will also need to 
be established. This system will define 
who gets access to the facility, during 
which hours, how many different levels of 
access are required, and where people can 
enter. It will also include procedures for 
employees who forget or lose credentials, 
visitor control, and may handle other 
functions such as parking passes. An 
explicit part of these procedures should 
describe access for people with disabili- 
ties or temporary medical conditions, like 
a broken leg or hand. Backup procedures 
will also be required where biometric 
devices are used — both for employees 
who are temporally unable to use the 
system and for visitors who cannot 
be enrolled. These exceptions may be 
handled through the use of oversized 



bypass gates or by directing people to 
manned locations for assistance. 

Procedures must exist for handling vis- 
itors. Clearly, all but the smallest or sim- 
plest facilities need a procedure to provide 
for the authorized access of visitors. The 
appropriate employee should make the 
request for access, and this request should 
include certain pertinent data, such as day 
and time of visit, the point of contact, and 
the purpose of the visit. Procedures may 
also require the signature of a manager to 
authorize the request. If biometric devices 
are used to allow entry, visitors need 
either to be temporarily enrolled in the 
database or the escorting employee will be 
required to provide access at the time 
of entry. The placement of internal tele- 
phones at entry points may also be useful 
when handling visitors. A list of employee 
phone numbers or a help desk should also 
be provided. 

Many large facilities designate a special 
office or manager to administer the access 
control process. An important aspect of 
these controls will be database manage- 
ment. The access control system database 
should be continually updated to reflect 
employee separations, leaves of absence, 
or suspensions. In addition, it should 
track visitor credentials and assign a dura- 
tion time for their use. Access to the data- 
base should be limited and may require 
the consent of two employees to protect 
against insider tampering. 

The office or individual assigned to 
manage access controls should also be the 
location that issues employee and visitor 
credentials. This function will include the 
previously described tasks, as well as 
replacement of old or lost employee 
credentials, removal of old or inactive 
credentials from the database, addition of 
new credentials, and collection of visitor 
credentials at the end of the visit. Because 
this can be a time-consuming process, it 
is recommended that the access control 
computer be separate from the AC&D host 
computer, particularly if this computer 
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will also generate the credential. Personal 
computers are fairly inexpensive and the 
dollars to be saved by performing both of 
these functions on the same computer 
do not justify compromising operational 
security. 

Summary 

This chapter describes entry control 
systems and equipment for personnel 
entry control, contraband detection, and 
detection. These systems meet the objec- 
tive of allowing the movement of autho- 
rized personnel and material through 
normal access routes while detecting 
and delaying unauthorized movement of 
personnel and material into and out 
of protected areas. 

Methods of personnel entry authoriza- 
tion include credentials, personal identi- 
fication numbers, and automated personal 
identity verification. Two types of errors 
are encountered in these systems: (1) false 
rejection, and (2) false acceptance. Most 
credentials can be counterfeited. Also, 
during the process of entry authorization, 
the credential rather than the person is 
verified. Although personnel identity ver- 
ification systems verify a unique personal 
physical characteristic, such as hand 
geometry or eye retinal pattern, they 
require more sophisticated equipment 
and personnel to operate and maintain the 
system. These systems will also require 
backup methods for access for those 
unable to enroll or to temporarily use the 
biometric device. 

Contraband includes items such as 
unauthorized weapons, explosives, drugs, 
and tools. Methods of contraband detec- 
tion include metal detectors, package 
searches, and explosives detectors. Metal 
detectors should be placed at entrances 
and exits, and explosives detectors should 
be placed at entrances. 

An effective entry control system 
permits only authorized persons to enter 



and exit, detects and prevents the entry of 
contraband material, detects and prevents 
the unauthorized removal of critical or 
high value materials, and provides infor- 
mation to the protective force to facili- 
tate assessment and response. The entry 
control system is an important part of the 
detection function of an integrated PPS. 
When combined with entry control pro- 
cedures and a process for access control, 
entry control provides another method of 
providing balanced protection-in-depth at 
a facility. 

Security Principles 

Entry control refers to the technology 
used to restrict entry or exit at a facility. 
Access control includes the databases, 
procedures, and rules for access that com- 
plement technology. 

An entry control system is one of the 
tools that may be used to achieve balance 
and to establish protection-in-depth at a 
facility. 

Entry control technology falls into one 
of three classes — something you know, 
something you possess, or something 
you are. 

Contraband detection requires the pres- 
ence of human operators to make the final 
decision as to the presence of the contra- 
band item. 
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Questions 

1. Discuss the following application 
considerations: 

a. Controlled, free space should be 
provided for entering personnel. 

b. Employees should not use real 
devices and systems to practice 
with or for fun. 

c. A "back out" route should be 
provided for unsuccessful 
users. 

d. Swinging metal doors may inter- 
fere with entry control devices 
(e.g., X-ray package search 
machine and SNM or metal 
detectors). 



e. Enrollment information should 
be kept under security control. 

f. Security personnel should be 
able to observe entry control 
equipment (e.g., personnel or via 
CCTV). 

g. Special requirements (e.g., fire 
lanes, break out doors, etc.) 
should be considered when 
designing entry control system. 

h. Alternate entry control proce- 
dures should be provided for the 
people who do not fit the system 
(i.e., the handicapped). 

i. Measures should be taken to 
compensate for system failures 
(e.g., power failures and equip- 
ment breakdowns), usually with 
parallel components. 

2. In what situations would a protec- 
tive force (guard) be used for entry 
control? What impact could this 
have on the physical protection 
system, the cost, etc.? 

3. Why should portal doors, walls, and 
roof provide the same delay as the 
perimeter or building walls in which 
they are installed? 

4. Why should portal doors be inter- 
locked so that only one door can 
be unlocked and opened at one 
time? 

5. Discuss entry control problems cre- 
ated by a vehicle portal. 

6. What problems would be created by 
a totally automated entry control 
system? 

7. What problems do you expect to 
encounter with an explosives detec- 
tor system? 

8. Why might we need a metal detec- 
tor at the exit of the facility? 
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An effective PPS requires that any 
malevolent act committed by an inside 
or outside adversary must be detected so 
that the response force, including on-site 
guards, local police, and others, can inter- 
rupt the adversary's attack before the goal 
is achieved. Because it is usually not 
feasible to maintain a large enough guard 
force to place guards at all asset locations, 
some type of adversary delay is needed. 
After an adversary has been detected, 
delay elements will prevent completion of 
the malevolent act or provide delay until 
an adequate response force can arrive. 
Other means of improving the probability 
of adversary interruption should also be 
considered. Against an outsider threat, 
early detection at the site perimeter, as 
opposed to detection inside a building 
or vault, increases the available response 
force time after detection. Minimizing the 
amount of time required to complete the 
assessment decision will also improve 
the total response time. 

Figure 11.1 is a simple illustration of 
the functions of a physical protection 
system and the barriers in that system. 
Although in this example the adversary is 
considered to be an outsider, the logic is 



also true for an insider. The time required 
for the adversary to achieve the final 
objective is labeled adversary task time. 
At some point in the scenario, the ad- 
versary must be detected. This point is 
labeled T . In Figure 11.1, the adversary 
task time is represented by a dotted line 
to point T,„ because this is where detec- 
tion begins. If the adversary goal is to 
enter a room or a building, the task time 
may be very short. If the goal is to accom- 
plish sabotage or theft of critical assets, 
the adversary task time will most likely be 
longer. After event T , some time will be 
required to assess the alarm and the level 
of the threat. If the assessment shows a 
valid intrusion, the response force is noti- 
fied. To counter the threat, some amount 
of time is then required to move the 
appropriate response force to the desired 
location. 

For an immediate on-site response, the 
objective of a PPS is to assure that an 
adequate response force arrives in a 
timely manner to prevent an adversary 
from stealing or damaging a critical asset. 
The role of barriers is simply to increase 
the adversary task time following detec- 
tion by introducing impediments along 
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Figure 11.1 Role of Delay in a Physical 
Protection System. At time T , the adver- 
sary is first detected. The delay elements 
serve to slow the adversary down and 
allow time for the response force to inter- 
rupt the adversary 



any path the adversary may choose, 
thereby providing the needed time for the 
response force to arrive and react. Some 
barriers might deter or, if the adversary is 
unable to complete penetration, even 
defeat some threats. Since the degree to 
which the barriers are able to fulfill these 
two roles is uncertain, they can be con- 
sidered only as unreliable obstacles to 
delay adversaries who are well-equipped 
and determined. 

Barrier Types and Principles 

Access-delay barriers may take the form of 
passive barriers, guards, or dispensable 
barriers. Passive barriers include struc- 
tural elements such as doors, walls, floors, 
locks, vents, ducts, and fences. The pres- 
ence of guards can also provide delay to 
adversaries using stealth or covert tactics 
to gain entry. Guards may only provide 
minimal delay to adversaries using force, 
unless in fixed and protected positions. 
Dispensable barriers are those that are 
deployed only when necessary during 
an attack. Each type of barrier has 
advantages, and a well-designed PPS 
will combine all three types to achieve 
maximum effectiveness. 



The presence of guards offers a flexible 
and continuous delay element. Guards can 
be easily shifted around a site, and shifts 
can be arranged to cover the entire work 
schedule. At the same time, the use of 
guards is a significant operational expense, 
and superior adversary numbers can over- 
whelm guards. In addition, as people, they 
are subject to compromise. Passive barri- 
ers are always in place and will fail secure, 
that is, even if they fail the delay value will 
remain. Many passive barriers are also 
commercially available, reducing their 
cost and increasing their accessibility. 
Most passive barriers are weak against 
explosive attacks, however, and they gen- 
erally impose operational and aesthetic 
limits on a facility. Dispensable barriers 
have the advantages of being compact and 
rapidly deployable. Examples of dispens- 
able barriers include chemical fogs and 
smokes, foams, and irritants. When imple- 
mented properly they also can maximize 
delay at the asset location. Due to their dis- 
pensable characteristic, they are some- 
what threat independent. For example, the 
time delay provided by a fog or smoke will 
largely be the same regardless of the tactics 
or capabilities of the adversary. Dispens- 
able barriers do have some associated 
safety and operational concerns, such as 
spurious activation or possible injury to 
those caught in the material. 

Traditional barriers, such as chain-link 
fences, locked doors, grilled windows, 
masonry walls, and even many types of 
vaults, are not likely to delay a small 
group of properly equipped and dedicated 
adversaries for a significant length of time. 
Although the role of delay in a PPS is easy 
to define, the implementation of barriers 
is not a simple task. Ensuring that the nec- 
essary barriers are in effect at all times 
during all operational states of the facility 
requires special attention. Often, the use 
of compensatory measures, such as ad- 
ditional guards, is required to offset the 
decreased delay and increased risk en- 
countered during certain operations such 
as fire drills, temporary movement or 
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storage of critical assets, or maintenance 
by contract employees. Further, barriers 
that impede normal operations, such as 
vehicle traffic between buildings or per- 
sonnel access to common areas such as 
cafeterias, will not be acceptable to a 
facility. 

Barriers must be considered in relation 
to the adversary's objective. If the objec- 
tive is theft of assets, barriers that are pen- 
etrated or destroyed on the way into the 
facility may not provide delay for depar- 
ture from the facility. Some barriers, such 
as emergency exits, provide some delay 
from the outside but, due to safety re- 
quirements, allow rapid exit from the 
inside. With the exception of a few barri- 
ers provided by natural elements such as 
rugged coastlines, high cliffs, mountain- 
tops, and vast distances, physical protec- 
tion must be provided by barriers that are 
carefully planned and positioned in the 
path of the adversary. The degree of delay 
afforded depends on the nature of the 
physical obstacles employed and the tools 
used to breach them. 

To aid alarm assessment and intercep- 
tion of the adversary at predictable loca- 
tions, consideration should be given to 
installing detection systems and barriers 
adjacent to each other so that the barrier 
is encountered immediately after a sensor. 
This arrangement serves to delay the 
adversary at the point of detection and 
increases the probability of accurate 
assessment. 

The principle of balanced design 
ensures that each aspect of a barrier con- 
figuration affords equal delay, or in other 
words, no weak links exist. For example, 
an adversary is not likely to burn a hole 
in a door to crawl through if door locks or 
hinges are clearly easier to defeat. The 
principle of delay-in-depth is similar to 
protection-in-depth for detection sys- 
tems. Multiple layers of different barrier 
types along all possible adversary paths 
will complicate the adversary's progress 
by requiring a variety of different tools 
and skills. 



System Considerations 



Most security barriers at industrial facil- 
ities are designed to deter or defeat infre- 
quent acts of casual thievery and 
vandalism. In today's environment of 
escalating threats, these traditional 
fences, walls, doors, and locks may 
present very little deterrence or delay. 
The contribution of delay after detection 
to system effectiveness is extremely im- 
portant. Each additional minute required 
by the adversary provides additional time 
for assessment and for the response force 
to interrupt the action. A few minutes of 
delay may have a significant effect on the 
outcome of an adversary intrusion. 

Using the design basis threat, assump- 
tions about the adversary's level of tech- 
nical skill and appropriate equipment 
are made. If barrier upgrades follow the 
balanced design concept, the adversary's 
path may not change, but this may require 
use of different tools. Upgrading a barrier 
to force the adversary to use more sophis- 
ticated tools should complicate the logis- 
tics, training, and skill required by the 
adversary even though the penetration 
time may not, in some cases, change 
significantly. 



Aspects of Penetration 

A barrier is penetrated when an indi- 
vidual can pass through, over, under, or 
around the protective structure. In this 
text, the penetration effort is assumed to 
start at a distance two feet in front of 
the barrier and to end at a point two feet 
beyond the barrier. Penetration time 
includes the time to traverse the barrier. 
Consideration must be given to the type of 
path made through a barrier. For example, 
cuts though reinforcing rebar in concrete 
may be very jagged, and cuts made with 
thermal tools may require cooling. These 
effects will lengthen the delay time of the 
barrier. Very thick walls require a larger 
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hole for crawling through than do thin 
walls, also increasing delay time for the 
adversary. 

A vehicle barrier is penetrated when 
the ramming vehicle passes through or 
over the barrier and is still a functioning 
vehicle, or a second vehicle can be driven 
through the breached barrier, or the 
vehicle barrier is removed or bridged and 
a functional vehicle passes through or 
over the barrier. The type of vehicle per- 
ceived to be a threat will have a consid- 
erable effect on the performance of the 
barrier. A chain-link fence may be capable 
of stopping a motorcycle or a small all- 
terrain vehicle (ATV), but would be com- 
pletely ineffective against a large truck. 

As an adversary encounters a series of 
progressively more difficult barriers, it 
becomes increasingly difficult to transport 
and set up sophisticated tools, especially 
if the adversary must crawl through a 
series of small openings. The proximity of 
the target area to vehicular traffic should 
also be considered. When the adversary is 
forced to carry heavy equipment for long 
distances, the delay times may increase 
significantly. For this reason, some facili- 
ties place barriers outside perimeter 
detection. In this case, the barriers are 
used to force the adversaries to change 
tactics and abandon their vehicle. This 
will slow down adversaries' progress by 
forcing them to walk or run and to carry 
their tools on foot, but until they are 
detected this delay is not included in 
system effectiveness measures. 

Barrier penetration time is a function of 
the attack mode, which is governed by the 
equipment required. Categories of attack 
tools considered in this chapter are: 

• hand tools — sledgehammers, axes, 
bolt-cutters, wrecking bars, metal 
cutters 

• powered hand tools — hydraulic bolt- 
cutters, abrasive saws, electric drills, 
rotohammers, abrasive water jets 

• thermal cutting tools — oxyacetylene 
torches, oxygen lances 



• explosives 

• vehicles — trucks , automobiles , trains , 
boats, planes, helicopters, motorcy- 
cles, and ATVs 

Figure 11.2 presents a graphic exam- 
ple of a simple scenario for theft using 
conventional barriers. The scenario starts 
with the adversary just outside the fenced 
area and ends when the adversary has 
exited the fenced area with the stolen 
asset. In this example, the adversary can 
accomplish the theft in about three 
minutes if not interrupted by the response 
force. Of course, security forces may not 
be available to interrupt the adversary 
unless there is detection at some point in 
the scenario, an accurate assessment is 
made, and the response force has time to 
respond. 

To illustrate the response times needed 
for various protection system goals, 
assume that a perimeter detection system 
with an immediate alarm assessment 
capability exists just inside the fence of 
the example facility. If the goal is to inter- 
cept the adversary before penetrating the 
building, the response force must arrive 
within about one minute of the alarm. If 
the goal is denial of the adversary sabo- 
tage task at the asset, the response force 
must arrive at that location within about 
two minutes of the alarm. If the goal is 
containment of the adversary within the 
fenced area after an attempted theft, the 
response force must intercept the adver- 
sary within three minutes of the alarm. 
Because of the short penetration times 
of many conventional barriers and the 
resulting short total adversary scenario 
times, enhanced or new barriers may be 
needed to lengthen the delays and gain 
adequate time for the response force. 

Perimeter Barriers 

Perimeter barriers form the outermost pro- 
tective layer of a PPS; their function is to 
exclude unauthorized personnel from an 
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Figure 11.2 Adversary Theft Path. The adversary must complete all eight tasks on the 
path to successfully steal the asset 



area. The standard chain-link fences com- 
monly used as perimeter barriers around 
industrial facilities cannot be considered 
a serious deterrent to any dedicated 
adversary. These fences, however, do 
serve to establish a visible legal boundary 
around a facility, and can hold signs 
advising outsiders of trespassing viola- 
tions or use of deadly force in some cases. 
Fences can be rammed through with a 
vehicle, climbed over, crawled under, or 
cut through in just a few seconds. Im- 
proving this type of fence with a few 
rolls of barbed tape or concertina wire 
will increase the delay only a nominal 
amount. Almost any type of perimeter 
barrier that is a few yards high and on the 
order of 30 feet wide can be bridged with 
portable bridging aids such as ladders or 
ropes in a minute or less. 



However, even though it is difficult to 
define a perimeter barrier that is cost- 
effective and will delay intruders for a 
period of several minutes, the merits of 
upgraded perimeter barriers are signifi- 
cant. First, coupling vehicle and person- 
nel barriers into a perimeter, inside 
and adjacent to the perimeter detection 
system, will delay the intruder at the point 
of detection for some finite period of time, 
thus improving the assessment function. 
Second, if a meaningful delay of the 
intruder at the perimeter is achieved and 
the response force responds promptly to 
the assessed alarm, it can intercept the 
intruder near the point of the alarm. 
Without such a delay, it is unlikely that the 
intruder will still be at the point of alarm 
when the response force arrives. Third, 
when it is necessary to protect a site 
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against an adversary whose target is assets 
stored in a variety of easily penetrated 
buildings located within the site, a posi- 
tive protection zone incorporating detec- 
tion and assessment, delay, and response 
at the perimeter may be the most reason- 
able or attractive option. Finally, where 
necessary, consideration should be given 
to using a vehicle barrier around a site 
perimeter inside the perimeter sensors to 
force an intruder to travel on foot and to 
carry any needed tools and weapons. 



Fences 

Security fences topped with rows of 
barbed wire, general-purpose barbed-tape 
obstacle, or barbed-tape concertina (BTC) 
do not prevent intrusion. However, 
placing rolls of barbed tape on or near 
standard fences can moderately enhance 
their capability to delay intruders 
(Kodlick, 1978). Roll arrangements are 
limited only by availability of land and 
funds for upgrading. 

Attaching one roll of barbed tape to the 
outriggers of an existing security fence is 
probably the most cost-effective addition 
that can be made because an intruder 
must now bring additional aids or bulky 
equipment to climb over the fence. 
Reversing the outriggers to point toward 
the inside when installing the barbed tape 
eliminates the handgrip used by intruders 
in climbing over the fence, but studies 
have shown that the direction of the 
outriggers makes very little difference in 
fence climbing times (Kodlick, 1978). 

An additional enhancement involves 
placing barbed-tape rolls either horizon- 
tally on the ground or against the fence 
fabric. Usually the barbed tapes are placed 
on the inside of an outer perimeter fence 
and on the outside of an inner (double) 
fence. This prevents accidental injury to 
the casual passerby, both outside and 
inside a site or facility. When rolls of 
barbed tape are placed horizontally, they 
are staked to the ground. Care must be 



taken to prevent excessive plant growth 
and collection of debris in the rolls. In 
addition, rolls of barbed tape will obscure 
CCTV views in the clear zone and in- 
crease assessment time. 

An example of the triple-fence system 
in use at some facilities is shown in Figure 
11.3. Mounds of BTC are stacked against 
the middle fence. The mound consists of 
six rolls of BTC and is approximately 6.5 
feet high and 9 feet wide. The penetration 
time for this system is several minutes, 
depending on the method used. The ad- 
vantage of this system is the additional 
bulky equipment required by the adver- 
sary to penetrate the barrier. The dis- 
advantages include the accumulation of 
debris that would collect between the 
fences creating a maintenance problem, 
and the degraded CCTV performance due 
to the number of opaque barriers that 
would appear on the CCTV monitors. This 
would have the effect of hiding any adver- 
sary progress through the mounds of BTC, 
making assessment difficult if not impos- 
sible. Other drawbacks of the triple-fence 
system are land area required, safety 
issues, and cost of implementation. The 
few minutes of delay the BTC mounds 
add may not be justified by the high cost, 
especially for larger sites (Kane and 
Kodlick, 1983). 



Gates 

Gates establish specific points of entrance 
and exit to an area defined by fences and 
walls. They function to limit or prohibit 
the free flow of pedestrian or vehicular 
traffic and establish a controlled traffic 
pattern. Gate barriers and perimeter 
fences should be equal in delay effective- 
ness. Gates often require additional hard- 
ening features because, as a consequence 
of their weak hinges, locks, and latches, 
they are considered easy to defeat. In 
addition, a vehicular driveway is often 
aimed directly toward a gate, making the 
gate susceptible to ramming by a vehicle. 
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Figure 11.3 Triple-Fence System with Barbed-Tape Rolls. The mound of barbed tape 
contains six rolls. Penetration time is on the order of several minutes, but the tape rolls 
will block effective CCTV assessment 



The orientation of vehicle gates and 
their driveways could reduce the proba- 
bility of their being breached by vehicles. 
Driveways constructed with multiple 
turns on each side of the gateway will 
reduce the approach and departure speed 
of vehicles. 

The use of multiple hardened gates 
in a vehicle portal at the perimeter is 
an option for upgrading vehicle portals. 
These gates can be interlocked, requiring 
one gate to be closed and locked before 
the other can be released and opened. The 
area between the gates provides a holding 
area to allow sufficient time to determine 
if contraband materials or unauthorized 
persons are attempting entry or exit. 



Vehicle Barriers 

Entry of private motor vehicles into 
secured areas should be minimized as 
they can be surreptitiously used to intro- 
duce tools and explosives by an unwitting 



owner/driver. Ground vehicles can be 
used by adversaries to penetrate perime- 
ter barriers. Cars and trucks can crash 
through most fences. In order to minimize 
the probability of breaching any secured 
area, vehicle barriers should be designed 
and installed in strategic locations, which 
can best be determined by examining 
and coordinating the following design 
considerations with the vehicle barrier 
system: 

• Define the threat that the barrier 
system is intended to stop (including 
weight of vehicle, impact velocity, 
and other physical characteristics). 

• Define the asset and determine the 
area to be protected before selecting 
the vehicle barrier location. 

• Examine site-specific considerations 
such as terrain, road layout in and 
around the secured area, buildings 
and parking lot layout, climate 
conditions, and the traffic patterns 
around the area. 
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• Design a vehicle barrier system, 
keeping the entire PPS in mind. 

Once the layout of a barrier system has 
been designed, the next step is to select 
the types of barriers that are best suited to 
protect against the defined threat vehicle. 
In order to provide full penetration resis- 
tance, barriers must be selected to fit the 
particular situation and be installed prop- 
erly. Barriers that are difficult to defeat 
should be installed in areas that cannot be 
monitored continuously but may be peri- 
odically checked by roving guards. For 
example, deeply buried, concrete-filled 
pipes can be constructed so that they will 
be difficult to defeat, thereby delaying an 
adversary long enough to be detected by 
a guard on patrol. Cable barriers can be 
easily defeated with hand-carried cutting 
tools. These barriers should be located 
only within areas that are well patrolled 
or sensored and under CCTV assessment. 
Another factor in the selection and 
placement of a vehicle barrier is the 
height at which it will impact the vehicle. 
The optimum height for any barrier 
depends on its construction and the 
anticipated threat vehicle. It has been 
determined by tests that a height of 30 
inches works best for most vehicles (Sena, 
1984). 

All barriers can eventually be breached 
if the adversary is allowed enough equip- 
ment and left unchallenged for a sufficient 
amount of time. Denying rapid vehicular 
access forces the adversary to physically 
carry any tools or breaching aid to other 
barriers, or to consume time in attempting 
to move the vehicle through the vehicle 
barrier. If the adversary is prevented from 
using a vehicle to penetrate a secured 
area, this will force slower movement on 
foot inside the area and prevent a rapid 
means of escape. 

A barrier system must be capable of 
stopping a defined threat vehicle at a 
specific distance away from a secured 
area, regardless of where the attack begins. 
The stopping capabilities of stationary and 



movable barriers must balance each other 
so that no weak section will be present in 
the system. Two-way protection with bar- 
riers may be necessary in some situations, 
such as preventing a threat vehicle from 
entering and leaving a secured area. 

In order for the vehicle to be stopped, 
the vehicle's kinetic energy, which is pro- 
portional to the square of its velocity and 
to its weight, must be dissipated. Most 
current vehicle barriers are designed to 
stop vehicles through one or more of the 
following methods: 

• Vehicle Arrestor — Absorbs virtually 
all of a vehicle's kinetic energy and 
applies a low to moderately resistive 
force to gradually stop a vehicle in a 
relatively long distance. Examples 
are weights that are dragged by 
a vehicle and accumulate with dis- 
tance traveled, or piles of loose sand. 
After crashing through a fence, gate, 
or other barrier, the weights are 
attached to the vehicle by the force 
and momentum of the crash. 

• Crash Cushion — Absorbs a large 
portion of a vehicle's kinetic energy 
and provides a stiff resistive force 
to stop a vehicle in a reasonable 
distance. Examples are liquid-filled 
plastic containers and arrays of 
empty steel barrels that are backed 
by strong supports. 

• Inertia Device — Exchanges momen- 
tum and kinetic energy with a 
vehicle during impact. This device 
provides a stiff resistive force to stop 
a vehicle in a reasonable distance. 
Examples are relatively small con- 
crete shapes and sand-filled barrels 
that are not anchored. 

• Rigid Device — Provides very highly 
resistive force to stop vehicles in 
very short distances. The vehicle dis- 
sipates almost all of its own kinetic 
energy as it deforms during impact. 
Examples include massive concrete 
shapes and steel structures that are 
well anchored. 



Access Delay 



209 



Structural Barriers 



Structural barriers include walls, doors, 
windows, utility ports, roofs, and floors. 
Most building walls and locked doors can 
be penetrated quickly. In addition, most 
buildings include forcible entry points, 
such as windows and utility ducts that 
provide intruders with easy routes for 
entry or exit. In less than 5 minutes, an 
adversary with explosives and cutting 
tools can make a crawl hole through a 
reinforced, 18-inch thick concrete wall. 
Tests at Sandia National Laboratories 
show that the concrete is readily removed 
by the explosive charge (White, 1980). 
The cutting of the 19-mm diameter rein- 
forcing rebar inside the concrete provides 
most of the delay. Locked personnel doors 
can be opened or penetrated within time 
periods that range from a few seconds to 
a few tens of seconds. Door or building 
windows equipped with expanded metal 
grilles offer little delay to determined 
adversaries. 

Hardening a building shell of conven- 
tional construction so that it will resist 
forcible penetration for a significant 
amount of time would probably require 
major change, and would not, in most 
cases, be practical. Furthermore, doors 
must be opened or unlocked during 
working hours for operational needs and 
for use as rapid emergency exits for 
personnel safety, which would provide 
an easy adversary path through walls. 
Factors such as these tend to limit the 
delays that can be achieved through 
building hardening. 

Walls 

Walls of buildings, vaults, and other struc- 
tures are usually considered to be more 
resistant to penetration and less desirable 
as targets for forcible entry than are 
doors, windows, vents, and other conven- 
tional wall openings. Most existing walls, 
however, can be breached if adequate 



tools are used. A wall may be the 
optimum path for forcible entry by an 
adversary. Explosives are especially effec- 
tive in producing holes large enough to 
crawl through. Upgrades to existing walls 
or new wall designs can significantly 
extend the penetration delay against 
hand, power, or thermal tools. Against 
explosives, upgrading walls or increasing 
wall thickness usually results in moderate 
delay increases; however, the amount of 
explosives needed increases substantially 
with wall thickness. Upgrading walls 
can also force an attacker to selectively 
increase tool requirements and alter 
penetration methods. 

The most common types of walls in 
facilities are: 

• reinforced concrete 

• expanded metal/concrete 

• concrete block 

• clay tile 

• precast concrete tee sections 

• corrugated asbestos 

• sheet metal 

• wood frame 

Reinforced concrete walls are com- 
monly used in structures used to store and 
protect sensitive materials. Due to their 
structural reputation and rugged appear- 
ance, concrete walls are almost univer- 
sally believed to be formidable barriers. 
Testing has shown, however, that stan- 
dard reinforced concrete walls can be 
penetrated rapidly (White, 1980). Con- 
crete walls are designed to support struc- 
tural loads and, except for vault walls, 
are not normally designed specifically to 
thwart or delay penetration. In conven- 
tional construction, strength and thick- 
ness of concrete and size and spacing 
of reinforcing materials are determined 
based on structural requirements. 

Two or more reinforced concrete walls 
in series provide longer penetration delay 
times than one wall with a thickness 
equal to their combined thicknesses. 
Penetration of multiple walls requires 
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multiple individual efforts and the trans- 
port of tools through preceding walls. If 
explosives are used, contained internal 
pressure from the explosive charge could 
possibly cause collapse of the roof and 
surrounding structures, creating further 
barriers in the form of rubble. 

Reinforcement of concrete can be 
employed to extend the penetration delay 
time in most designs. Even though the 
explosion penetrates the concrete, the 
reinforcing rebar usually remains intact to 
the extent that it must be removed before 
entry can be accomplished. Removing the 
rebar often requires more time than is 
needed to remove the concrete; therefore, 
using additional rebar, increasing rebar 
size, or decreasing center-to-center rebar 
spacing can be advantageous. 

Further suggestions for upgrading the 
barrier potential of existing walls or for 
consideration in design and construction 
of a new structure include the use of earth 
cover or other overburden to delay access 
to the wall itself, or the use of thick or 
multiple concrete walls to extend delay 
time and force explosives amounts to 
impractical limits. The employment of 
overburden is inexpensive yet effective 
against all methods of attack. 



Doors 

In all structures the weakest portion 
ultimately determines the value of a 
barrier. The principle of balanced design 
is especially pertinent to doors. Doors are 
classified as: 

• standard industrial doors 

• personnel doors 

• attack- and bullet-resistant doors 

• vehicle access doors 

• vault doors 

• blast-resistant doors 

• turnstile gates 

Penetration delay times through walls 
can be increased through the use of 



thicker or composite materials. Doors, 
however, are often one of the weakest 
links in a structure due to the design 
restrictions imposed by the door's func- 
tional requirements and associated hard- 
ware. For example, many buildings with 
heavy concrete walls provide pedestrian 
access through hollow steel doors. The 
barrier value of the wall is relatively high, 
but it is weakened by the use of ordinary 
doors, frames, and hinges that can be 
quickly penetrated. 

Consequently, the principle of balanced 
design requires that doors and their as- 
sociated frames, hinges, bolts, and locks 
be strengthened to afford the same delay 
as that provided by the floors, walls, and 
ceilings of the parent structure. Con- 
versely, if the door assembly cannot be 
enhanced, it may not be cost-effective to 
upgrade the building structure. In recent 
years a number of major door manufactur- 
ers have made attack- and bullet-resistant 
doors. When properly installed, these 
doors may offer a substantial increase 
in penetration resistance over standard 
industrial doors. The following examples 
discuss standard personnel doors. 

Personnel doors vary in type, style, and 
class, but most common exterior doors 
are l 3 / 4 -inch thick with 16- or 18-gauge 
(1.5- or 1.2-mm) steel surface sheets. Con- 
struction is usually hollow core or com- 
posite with or without glass or louvers. 
A composite door core consists of a non- 
combustible, sound-deadening material, 
usually polyurethane foam or slab. Light- 
gauge vertical reinforcement channels are 
sometimes used inside hollow core doors 
to add strength and rigidity to the door 
assembly. 

Steel pedestrian doors are found in 
single or double configurations and use a 
wide variety of locking devices. Exterior 
doors usually swing outward, regardless 
of their functional design, and have their 
closing devices attached internally. 
Hinges are mortised with either remov- 
able or nonremovable pins. Additional 
doors are provided for emergency exits, as 
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required by fire and life safety codes. The 
requirements for panic bar devices on all 
emergency exits make the door to which 
they are attached only a one-way barrier. 
This safety requirement provides a variety 
of exit modes to outside attackers after a 
building has been breached, as well as 
giving an insider an easy way to defeat the 
delay. Certain exceptions to life safety 
codes and crash bars are permissible. As 
discussed in Chapter 10, "Entry Control," 
a commonly used system employs a 30- to 
45-second delay incorporated into the 
emergency exit door. Under normal cir- 
cumstances, the delay mechanism will 
prevent opening of the door for the pre- 
scribed time. However, if a fire alarm is 
pulled or the automatic fire suppression 
system is activated, the delay mechanism 
is overridden and the door will open 
immediately. Penetration times for light- 
weight sheet steel doors vary depending 
on the attack tools used. The following 
sections describe the attack modes against 
which standard doors are weak. 

Standard Doors 

An attack that uses explosives is a very 
noisy mode of entry and produces ob- 
vious evidence of penetration, which 
can help in detection of an attack. The 
explosives used can range from a small 
homemade bomb to very potent charges. 
The use of a thermal cutting tool offers an 
alternate entry method. Power tools can 
also produce a hole big enough to crawl 
through in approximately 3 minutes. 

Standard key-locking mechanisms, if 
accessible, can probably be picked. Pick- 
ing time varies with the type and phy- 
sical condition of the lock but averages 
about 1 minute for a skilled locksmith. 
A pipe or strap wrench used on key- 
in-knob locks reduces penetration time 
to tenths of a minute. These methods do 
have some limitations, however. Picking 
tools are effective only if a keyway 
is available; a pipe wrench is effective 
only if locking hardware is exposed. 
Many doors need no entrance modes 



at all (only exit modes) and, therefore, can 
be fully flush-mounted with no external 
hardware. If keyways are required, there 
are several high-security locks on the 
market that require quite long pick times. 
In addition, use of door sensors will 
mitigate lock vulnerabilities. 

On external doors, hinge pins are 
usually exposed and are natural attack 
targets. Even nonremovable hinge pins 
can be readily defeated with hand tools. 
Thermal tools or explosives can also be 
used for rapid removal of hinges. About 1 
minute is required to defeat the hinges 
(typically three] on an external door. 
Hand tools are an effective means of 
penetrating louvers, windows, or mesh on 
doors. A large crawl-through hole can be 
made through plate, tempered, or wired 
glass in 15 seconds. Louvers can be forced 
apart or mesh and glass can be cut in 
approximately 30 seconds. 

Improved designs are necessary to 
upgrade the penetration resistance of 
industrial doors to match the delay pro- 
vided by the remaining structure. Pene- 
tration times for industrial doors vary 
greatly; the minimum penetration time is 
about 10 seconds. Removal of internal 
panic bars is desirable, but fire and build- 
ing codes may disallow this. 

The following discussion applies to 
facilities with older standard doors to be 
upgraded when complete door replace- 
ment is not an option. At new facilities or 
where complete door replacement is nec- 
essary, new high-security, attack-resistant 
doors should be used. 

Steel pedestrian doors mounted in 
stamped steel frames are frequently found 
in existing structures. These doors offer 
little resistance to forcible attack; how- 
ever, they can be upgraded in various 
ways to increase their penetration delay 
time. The upgrades and design concepts 
described in the following paragraphs 
are intended to balance the overall door 
structure, including the door face, frame, 
hinges, exit devices, louvers, glazing, and 
locks, and to protect it against forcible 
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penetration attempts with hand, power, or 
thermal tools. 

Eliminating all unnecessary doors is the 
first step in upgrading existing facilities. 
Eliminating all windows, louvers, and 
external knobs and keyways is the next 
level of upgrade. One structural enhance- 
ment is the addition of steel plates to door 
surfaces; this increases the penetration 
resistance of a door to hand and light 
power tools. Heavy-duty hinges should be 
used to support any added weight, and 
frames should be grouted with concrete 
to strengthen the supporting structure. 
Wood cores, particularly redwood, placed 
between door plates increase the delay 
times for thermal cutting tools by a 
factor of three to four times that of an 
air void. 

Hand tools can be used to attack the 
lock/frame area of a door in order to force 
the frame strike away from the lock bolt. 
A forced separation of V, inch to 3 / 4 inch 
is usually sufficient to pry open a door. A 
method has been devised to prevent easy 
access to the lock/frame area. A sheet steel 
strip can be either welded or bolted to the 
door. This strip should be the same height 
as the door and at least 2 inches wide 
with a 1-inch overlap onto the adjacent 
doorframe. In addition, the frame should 
be grouted with concrete mix at least 18 
inches above the frame strike location. 
Holes can be cut in the doorframe to allow 
grouting of both sides of the frame. The 
holes can then be covered with a cover 
plate, which is welded or screwed into 
place. A high-security lock could also be 
installed on exterior pedestrian doors, 
because lock defeat is one of the quickest 
and quietest means of gaining entry to a 
protected area. Replacement of a single 
conventional lock with a high-security, 
multiple deadbolt system would virtually 
eliminate prying attacks. 

Hinges can be compromised in approx- 
imately 1 minute either by removing the 
pins or by cutting the hinge knuckles. 
Welding the pin top to the hinge will 
extend penetration times if only hand 



tools are used; however, if the hinge 
knuckles are cut with power or thermal 
tools, the penetration time is still about 1 
minute. Upgraded hinges with a stud-in- 
hole feature are commercially available. 
This type of hinge extends penetration 
time. Another method devised to prevent 
hinge-side door removal employs a Z- 
strip made from steel, which is bolted or 
welded to the rear face of the door. This 
strip is formed so that if the door hinges 
are removed and an attempt is made to 
pry the door from its frame, one leg of the 
Z-strip will come in contact with either 
the inner frame surface or the rear door- 
stop surface. Once the Z-strip contacts 
the doorframe, adversaries must use 
excessive force and large tools to remove 
the door. A variety of full length hinge 
designs are also available that may extend 
penetration times significantly. 

Most exterior doors are equipped with 
panic hardware that allows rapid exit in 
case of emergency. However, this safety 
equipment also makes a door more vul- 
nerable to defeat. Panic (or crash) bars can 
be defeated in about 1 minute by using 
small hand tools. This method of defeat 
produces less noise than does thermal 
cutting. Where noise is not a factor, hand 
or power tools can be used. One possi- 
ble method of upgrading a panic bar- 
equipped door employs a bent metal plate 
with a drill-resistant steel section fastened 
to it. The plate prevents chiseling and 
wire hooking of the panic bar. The drill- 
resistant section extends penetration time 
considerably if the area between the panic 
bar and the horizontal leg of the plate is 
attacked. If any other location on the door 
is selected for penetration, manipulation 
becomes considerably harder. Electronic 
control devices are also available for use 
with emergency exit hardware. These 
devices require the push bar to be 
depressed for a predetermined amount 
of time before an electronic deadbolt is 
released. This allows a security officer 
time to assess the situation via CCTV or to 
respond to the door alarm, if necessary. 



Access Delay 



213 






Inside 



Frame 






Door 



Z-Strip 



'Open 



Door 



K 




Exit Device , 
Push-to-Open 



Drill Resistant 
Steel 
Panic Bar Plate 



Figure 11.4 Upgraded Door. The door has a Z-strip added to prevent prying, a plate to 
prevent defeat of the panic bar, and hardened glass, frame, and louvers 



Figure 11.4 shows an upgraded exterior 
door incorporating many of the features 
described above. One additional recom- 
mendation is the removal of exterior door- 
knobs or other hardware from emergency 
exit doors. This will reduce the possibil- 
ity of any prying attack from the outside, 
but does not compromise rapid emer- 
gency egress. 

The use of either louvers or glazing 
material should be minimized for exterior 
doors since these assemblies can be easily 
penetrated with hand tools. Either re- 
moval of all door louvers and glazing, 
or a reduction in size (less than crawl- 
through size) is recommended. Possible 
upgrades include the addition of a screen 
or a bar grid to the interior of the louver 
or glazing. 



Windows and Utility Ports 

Windows provide only minimal penetra- 
tion delay to adversaries and require 
enhancement to provide significant pene- 



tration resistance. The location of the 
window affects the upgrading required. 
Windows should follow the balanced 
design principle so that they will not be 
the weak link in a barrier system. This 
section describes frames, glazing materi- 
als, and protective coverings, as well as 
other suggestions for improving window 
penetration delay times. 

In addition to doors and windows, 
industrial facilities have many unat- 
tended structural openings, such as venti- 
lating ducts, utility tunnels, and service 
openings, which can be used as intrusion 
paths by adversaries. Few existing struc- 
tural openings would delay a determined 
adversary for very long, especially if the 
openings are designed to provide easy 
access for maintenance. These openings 
can function as a concealed pathway 
and, therefore, should be barricaded and 
sensored. The term utility port is used in 
this discussion to include all types of 
unattended framed openings other than 
doors and windows. Often these openings 
contain grills installed for safety and 
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ornamental reasons, which also function 
as insect, rodent, and bird barriers. These 
openings provide very little security. 
Standard windows and utility ports con- 
stitute potential weak links in a barrier 
system and may require enhancement to 
provide significant delay. Windows with- 
out enhancement have little penetration 
delay time, because most windows can be 
penetrated with hand tools in less than 30 
seconds. Utility ports may have lift-off 
covers that are not equipped with locking 
devices or interior barriers. 

The strength and weight of the frame 
material of a window vary widely with 
the class of window and manufacturer. 
Some manufacturers fabricate a security 
sash; however, this term can be mislead- 
ing since the frame material is not hard- 
ened. Where windows are installed in 
doors, the metal strips separating the glass 
have proven to be weak. For example, a 
hand tool can be used to accomplish 
penetration in a few seconds. However, 
several special window frames contain 
concealed materials that resist cutting 
tools. If a window can be opened and 
closed, the window-locking mechanism 
may constitute a weak link, and, if forced, 
this window can be opened. The position 
and operation of the locking mechanism 
of a window vary with type and manu- 
facturer. The mechanism should be 
located so that it is not readily accessible 
from the exterior. The installation of 
more substantial locking devices or fixed 
windows could be considered as possible 
upgrade options. 

Window frame attachment to the struc- 
ture may be improved by the use of addi- 
tional or heavier fasteners or by welding 
the frame fin, but these techniques may 
not affect the delay time through the 
window unless additional upgrades are 
made to the glazing materials and pro- 
tective coverings. Glass glazing materials 
include standard, tempered, wire, and 
laminated glass. These types of glass pro- 
vide a barrier to the elements but will not 
provide significant delay times. 



Standard glass materials are highly 
frangible. Penetration by hand tools gen- 
erally requires only a few seconds. Where 
a higher level of penetration resistance is 
required, thick security glass can be used. 
In addition, standard glazing materials 
are often upgraded with a protective grill 
of expanded steel mesh or other forms 
of metal grills. Tempered glass is formed 
by the reheating and sudden cooling of 
a base glass. Although tempering greatly 
increases its mechanical strength and 
thermal stress characteristics, the glass 
can still be easily broken with moderate 
force. It can be shattered into gravel-size 
pieces by hand tools (impact) in a few 
seconds. 

The primary use of wire glass is in fire 
doors and fire windows. The V 4 -inch thick 
material is fabricated with diamond, 
square, or hexagonal wire patterns. Pene- 
tration of wire glass can be achieved using 
hand tools in approximately 20 seconds. 
Laminated glass is manufactured as a 
safety and security glass; however, not 
all types of laminated glass are recom- 
mended by manufacturers for use in secu- 
rity areas. Laminated glass is composed 
of two or more panes of annealed float, 
sheet, or plate glass bonded to a layer or 
layers of plastic that range in thickness 
from 0.050 inches to 0.090 inches. 
Safety glass that is V 4 -inch thick can be 
penetrated in 30 seconds, while 9 / le -inch 
thick security glass requires 1.5 minutes 
of work with hand tools to produce a 
crawl-through hole. Security glass is 
not transparent armor. It is simply more 
resistant than standard glass to forcible 
penetration. 

Transparent plastics can be used as 
substitutes for most glass; however, some 
are combustible and their use is restricted 
by fire codes. Acrylic plastics such 
as Lucite™ and Plexiglas™ up to 1-inch 
thick can be easily broken with hand tools 
in less than 10 seconds. The impact re- 
sistance of polycarbonates, on the other 
hand, approaches the same performance 
level as that of bullet-resistant glass. Tests 
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show that V 2 -inch thick Lexan® resists 
hand-tool penetration for up to 2 minutes 
(Nuclear Security Systems Directorate, 
1989). Thermal tool attacks require about 
1 minute, but they also result in com- 
bustion and release of toxic gases. Both 
acrylic and polycarbonate plastic panels 
up to 1-inch thick can be easily cut with 
power tools. 

Glass/polycarbonate composite glazing 
contains a tough core layer of polycar- 
bonate laminated between two outer 
layers of glass. The glazing was originally 
developed for use in prisons to replace 
vulnerable security glass. In tests using 
common hand tools and miscellaneous 
pipe, bars, and steel sections, glass/poly- 
carbonate composites were penetrated 
when hand tools and fireaxes were used, 
but the thickest panels resisted forcible 
entry attempts for 10 minutes when mis- 
cellaneous steel tools were used (Nuclear 
Security Systems Directorate, 1989). 

The penetration resistance of a window 
or utility port may be increased by the 
installation of protective coverings, such 
as grills, bars, expanded-metal mesh, or 
screens. Similarly, grids and grates con- 
structed of steel mesh, expanded metal, 
bar stock, tubing, or bars can be used to 
reduce the size of the opening in utility 
ports to prevent crawling through the 
port. Use of these coverings should occur 
at or after appropriate detection to be 
effective in protection. The degree of 
improvement in windows should be 
dictated by the balanced design concept. 
With the proper selection of enhance- 
ments (protective coverings, grills, mesh), 
different glazing material, or methods 
of frame attachment, the delay time of 
windows may approach the delay time of 
doors or even walls for some threats. 

In addition to doors and windows, most 
tunnels used to link buildings are not 
protected very well. Access may be con- 
trolled only by lift-off covers or manholes 
that are not equipped with locking de- 
vices or interior barriers. Pipe channels 
used inside buildings are often quite 



congested, but still allow space for main- 
tenance work. Ducts associated with 
heating, ventilating, and air conditioning 
systems could provide an adversary path. 
Tunnels, manholes, roof, and wall open- 
ings for equipment, and ductwork can be 
enhanced by installing interior barriers or 
a series of barriers. 

An option that may be considered in 
future designs for new buildings could be 
the use of smaller-than-man-size windows 
and multiple, small openings for utility 
ducts. Windows could be removed from 
existing structures to allow the original 
window opening to be upgraded to the 
same penetration delay as the adjoining 
wall. 



Roofs and Floors 

Roofs and floors function as climatic bar- 
riers, provide working surfaces, and, to 
some degree, function as protective barri- 
ers; however, their use as physical pro- 
tection against penetration by determined 
adversaries is generally not considered. 
The penetration threats include hand, 
power, and thermal tools, and explosives 
used alone or in combination. 

Construction methods and materials 
used for roofs and floors are similar. 
The basic materials may vary slightly in 
total thickness; type and quantity of steel 
reinforcement; and the concrete strength 
required to carry the loads. In general, 
floors offer more resistance to penetration 
than roofs do, because they are protected 
by the main structure and are designed to 
accommodate heavier loads than roofs. 

Contemporary roof types used on many 
structures include: 

• prestressed concrete tee beam 

• metal subdeck and reinforced 
concrete 

• metal roof deck with lightweight 
concrete 

• metal roof deck with insulation 

• metal roof 
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• reinforced concrete beam and slab 

• wood sheathing with membrane 

The following suggested enhancements 
do not apply directly to any one roof type, 
but rather to the roof elements. The most 
cost-effective enhancements appear to 
be those placed below the roofline; they 
could be applied to either new or existing 
facilities. Available roof enhancements 
include: 



to be 10 to 12 inches. This distance may 
create a hole effect, or the restriction of 
the operating space needed for the tool 
and the available crawl space. The 
enhancement materials used within barri- 
ers could range from quarry screen to 
expanded steel bank vault mesh or floor 
gratings. 

Dispensable Barriers 



• membranes enhanced with embed- 
ded screen 

• several inches of rigid insulation 
added 

• concrete reinforced with deformed 
steel bars and expanded steel mesh 

• larger rebar formed into multiple 
rows or layers for reinforced concrete 

• on corrugated roofs, the number 
of fasteners should be increased, 
and additional structural members 
installed 

• joints on metal systems should be 
secured with mechanical fasteners or 
with a continuous weld and heavier 
gauge material 

• reinforcement of the flange area of 
precast concrete tee beams with 
larger rebar 

Penetration tests have indicated that 
barriers placed below the roof are some- 
times more effective against penetration 
than those in the roof itself. Such barriers 
may be used in some existing structures 
without major modification. Placing these 
enhancements below the roofline pro- 
vides the structure with some protection 
against direct attack and could make a 
second penetration necessary. This sec- 
ond penetration could be constrained 
to take place in a confined area and could 
force the use of tools from other tool 
classes in order to complete penetration. 
The exact position of a barrier below the 
roofline is a factor in its effectiveness. The 
optimum distance below the roof appears 



Dispensable barriers are those that are 
deployed only when necessary, that is, 
during an adversary attack. Two cate- 
gories of dispensable barriers have been 
developed: active and passive dispens- 
able barriers. Active dispensable barriers 
can, on command, stop or delay an ad- 
versary from accomplishing the objective. 
Several types are under development. 
This section identifies the major com- 
ponents of an active dispensable barrier 
system and describes some of the attri- 
butes of dispensable materials. 

A typical active dispensable barrier 
system includes: 

• a process for decision-making to de- 
termine when the dispensable bar- 
rier is to be activated 

• command and control hardware to 
implement this decision 

• the material that is deployed to phys- 
ically deny access 

• the dispensing mechanism 

• a guard force located on site 

The activation decision mechanism 
may involve either a member of the guard 
force, some form of intrusion sensing, or 
the combined action of both the guard 
force and sensors. The major compromise 
is between assurance that activation can 
and will occur in an adversary attack 
(reliability) and assurance that the prob- 
ability of inadvertent activation is low 
(premature activation). Hardware design 
and effective operational procedures can 
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reduce the probability of inadvertent acti- 
vation to as low a value as required. 

The command and control hardware 
accepts the activation decision and 
must operate the dispensing hardware. 
Command and control hardware stands 
between the decision mechanism and the 
dispensing hardware. Because the activa- 
tion decision mechanism and the dis- 
pensing hardware may be separated by 
large distances, electromagnetic radiation, 
lightning, earthquakes, power surges, and 
other possible severe environments must 
be considered in the design. The com- 
mand and control hardware improves 
personnel safety and assures that, if in- 
advertent activation occurs, authorized 
personnel in the area have time to avoid 
personnel hazards. 

The dispensable material is normally 
stored in a compact form, and through a 
chemical or physical reaction, is ex- 
panded to an effective delay state. The 
same properties that permit compact 
storage and rapid expansion make acti- 
vated delay systems attractive in physical 
protection applications where operational 
considerations are dominant. Dispensing 
hardware consists of storage tanks, acti- 
vation valves, pressure regulators, safety 
valves, filters, power sources, and plumb- 
ing hardware. The specific hardware 
design is unique for each material and 
application, but many of the components 
are similar. This uniqueness of design 
and limited application are factors that 
increase the cost of the dispensing hard- 
ware. Further, the dispensing hardware 
itself must be protected from use or dis- 
ablement by an adversary. 

Dispensable barriers will only delay an 
adversary for a finite time. They are best 
used in conjunction with passive barriers 
such as turnbuckles, tie-downs, or cables. 
At some point in time, the adversary will 
defeat any delay mechanism. Therefore, 
the response force must respond and 
achieve control in a shorter time than the 
dispensable barrier delay time. 



Dispensable barriers require the ad- 
versary to be prepared to do more than 
just evade the response force. They must 
also be able to successfully defeat the 
dispensable barrier. Dispensable barriers 
usually have the effect of isolating the 
adversary visually, acoustically, at a par- 
ticular location, or sometimes in combi- 
nation. This increased requirement on 
the adversary can significantly increase 
the probability that the overall PPS will 
perform as desired. 

Passive dispensable barriers present 
many of the same benefits as active dis- 
pensable barriers but they differ in one 
important aspect. Passive dispensable 
barriers do not require any command and 
control system. The dispensing mecha- 
nism is activated by the penetration 
attempts of the adversary. Elimination of 
command and control hardware signifi- 
cantly reduces the cost of passive dis- 
pensable barriers compared to active 
dispensable barriers. 

While structural barriers are attractive 
due to their simplicity, dispensable barri- 
ers offer an alternative that, in some appli- 
cations, is more operationally acceptable 
and may be cost-effective. Specific dis- 
pensable materials and associated dis- 
pensing hardware that are being de- 
veloped and tested include: 

• rigid polyurethane foam 

• stabilized aqueous foam (see Figure 
11.5) 

• smoke or fog 

• sticky thermoplastic foam (see Figure 
11.6) 

• various entanglement devices 

Rigid foam encasing has been used for 
long-term storage of assets or for protec- 
tion when transporting materials between 
sites. Stabilized aqueous foam has been 
used in government installations over- 
seas. This material has the added benefit 
of being a fire retardant, so it can add 
safety benefits if needed. Pepper mace or 



218 



Design Physical Protection System 




Figure 11.5 Dispensing of Aqueous 
Foam. The foam rapidly expands and fills 
the area near the asset location. This iso- 
lates the adversary visually and acousti- 
cally from the environment 



other irritants can also be added to 
aqueous foam to further delay an adver- 
sary. Smokes and fogs are easy to dispense 
and are commercially available in the 
form of dry ice or other fogging machines, 
such as those used in theatrical applica- 
tions. Sticky foam has been used as a 
passive barrier in some specialized appli- 
cations, and has been considered for use 
in less-than-lethal applications, such as 
prison cell extractions or crowd control. 
Entanglement devices include coils of 
wire or nets suspended from ceilings and 
the dropping of shredded paper or other 
similar items from above onto an adver- 
sary. These items are most effective when 
combined with smoke or fog barriers, as 




Figure 11.6 Sticky Foam Test. The adver- 
sary has picked up the asset but is unable 
to move due to the sticking action of the 
foam. The asset was also secured with 
heavy wires anchored into the board the 
asset was placed on using turnbuckles as 
a passive barrier 



they will not be immediately obvious to 
an adversary entering an area where the 
smoke has just been deployed. Obviously, 
safety issues will be a large part of the 
decision as to the use of some dispensable 
barriers. 

Due to their higher cost, dispensable 
barriers are generally deployed very close 
to the assets being protected. This is also 
the most effective location for delay ele- 
ments in general. Although it is feasible to 
fill an entire building with smoke or fog, 
it would be very cost-prohibitive. A more 
desirable approach is to deploy the obscur- 
ant only in the room where the assets 
are stored. By deploying the dispensable 
materials close to the target, the issues of 
cleanup and collateral contamination are 
also reduced. 

During evaluation at Sandia National 
Laboratories, different materials per- 
formed relatively better in single system 
attributes, but none of the materials is 
superior in all, or even most, of the qual- 
ities that have been discussed. The selec- 
tion of an optimum dispensable barrier 
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material for a given application is often a 
compromise among the following major 
attributes associated with dispensable 
barriers: 

• exert a minimum impact on 
operations 

• protect volumes 

• provide adequate safety to personnel 

• may operate independently of 
barriers 

• may offer multiple activation options 

• have a long storage life 

• provide protection-in-depth 

• can be cost-effective 



Procedures 



Due to the form of most passive barriers, 
they do not generally require any addi- 
tional maintenance other than normal 
cleaning, periodic inspection, or upkeep. 
Fences, doors, windows and other delay 
elements should be repaired or replaced if 
loose or broken. Maintenance procedures 
for dispensable delay systems vary widely 
depending upon the system design. 
Generally, passive dispensable systems 
do not require any sort of maintenance 
other than checking for obvious damage 
and appropriate pressure in pressurized 
designs. Active dispensable systems re- 
quire routine exercising of the command 
and control system with artificial loads. 
The design life for dispensable delay 
systems ranges from 10 to 25 years. 

Certain access points such as utility 
ports, ducts, or drainage pipes can be 
sensored to provide an alarm when dis- 
turbed. If the sensor is placed early in the 
delay time of the access point, an effective 
combination of detection and delay can 
be achieved. Even in the absence of im- 
mediate CCTV assessment, a procedure 
for responding to any alarm from one of 
these sensors can be implemented. Selec- 
tion of an appropriate sensor with a high 
P D and a low NAR for the area will assure 
that guards will only be dispatched occa- 



sionally. This will provide a balance 
between effective protection and cost. 

Summary 

A close examination of the large variety 
of paths or scenarios an adversary can 
select to penetrate a given facility will 
probably indicate that existing barriers 
do not ensure that adversary delay time 
will always be sufficient for an adequate 
response force to react. Further, if the 
adversary has not been detected prior to 
encountering a particular barrier or dur- 
ing penetration, the effectiveness of that 
barrier may be negligible. Most conven- 
tional barriers such as fences, locks, doors, 
and barriers for windows provide short 
penetration delay against forcible (and 
perhaps stealthy) attack methods that do 
not use explosives. Against thick, rein- 
forced concrete walls and other equally 
impressive-looking barriers, explosives 
become a more likely method of penetra- 
tion by the adversary. Ensuring that mean- 
ingful barriers are in effect at all times 
of the day and night may be difficult 
to accomplish without adversely affecting 
normal facility operation. Often, the use 
of compensatory measures, such as addi- 
tional guards, is required to offset the 
decreased delay and increased risk 
encountered during certain operations 
such as fire drills, or maintenance by con- 
tract employees. 

On the positive side, a barrier system 
can be configured or enhanced to provide 
effective delay times. For instance, the 
presence of multiple barriers of differ- 
ent types along all possible adversary 
paths should complicate the adversary's 
progress by requiring that they be 
equipped with a number of different 
barrier attack tools and skills. Locating 
barriers next to detection alarms should 
aid in accurate assessment of and 
response to adversaries. 

If the facility to be protected has not 
yet been constructed, barriers can be 
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incorporated into its design. For example, 
placing the facility either underground or 
aboveground with massive overburden 
is an option that should be seriously 
considered. Using balanced design prin- 
ciples, appropriate detection systems, and 
response forces, a facility can be made 
highly resistant to outsider and insider 
threats, and to the method of transporta- 
tion used by adversaries (foot, land 
vehicle, or aircraft). 

Consolidating assets into a single room 
or vault is often one of the most effective 
ways to reduce response time and the cost 
of delay upgrades. Having assets scattered 
throughout a site requires the guard force 
to accurately assess the threat location 
and contend with the possibility of diver- 
sionary tactics by the adversaries. 

Finally, the use of dispensable barriers, 
such as entanglement devices, or dis- 
pensable chemicals such as obscurants, 
irritants, and foams offer significant 
potential for increasing adversary delay. 
These dispensable deterrents should be 
coupled with passive structural-type 
barriers to synergistically increase delay 
times. Also, conventional breaching tech- 
niques and equipment used by an adver- 
sary may be so ineffective that they would 
choose not to continue attacking that 
barrier. Any activated dispensable barrier 
will, of course, require protection of the 
complete activation system to avoid 
or to adequately delay disablement by an 
adversary. 



Security Principles 

Access delay follows detection in an 
effective physical protection system. 

The performance measure for access 
delay elements is time. Delay time for the 
adversary will depend on the barrier to be 
breached and the tools that are used. 

Delay elements include passive barri- 
ers, guards, and dispensable barriers. 

As a part of protection-in-depth, delay- 
in-depth should be implemented. 



Delay barriers should provide balance 
along adversary paths. 

Dispensable barriers must be used in 
combination with passive barriers to pro- 
vide the most effective delays. 
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Questions 



1. Would an adversary always choose 
the fastest penetration method? 
What situations would lead an 
adversary toward making a slower 
penetration effort? 

2. Why are a variety of hand tools con- 
sidered to be used for some barriers 
but only very limited penetration 
equipment for the more substantial 
barriers? 

3. What are some of the ways that a 
perimeter fence line can be up- 
graded to increase the delay time 
for vehicle penetration? 

4. Where is the best placement for a 
vehicle barrier in a double-fence 
system? 

5. What are some of the ways that a 
perimeter fence line can be up- 
graded to increase the delay time 
for adversaries on foot? 
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6. Why is it important to ensure that 
the floor, ceiling, and walls of a room 
are balanced — that is, provide the 
same delay? What would help deter- 
mine the need for this degree of 
protection? 

7. Why is it important to use multiple 
barriers and different barriers? 



8. What are some of the advantages and 
disadvantages of using explosives as 
a means to gain access to critical 
assets? 

9. Why do you think we say that dis- 
pensable barriers near the target 
can be a very cost-effective delay 
mechanism? 
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As discussed in previous chapters, an ef- 
fective PPS must perform the functions 
of detection, delay, and response. The last 
of these functions, response, will be pre- 
sented in this chapter. The response func- 
tion includes responding personnel and 
the communications system that is used. 
The composition of the response force 
varies from facility to facility. A part of or 
all of the response force may be located 
on-site or off-site. The response force may 
include proprietary or contract guards, 
local and state police, and, for some in- 
cidents, Federal agencies such as the 
FBI, DEA, or Customs. In this text, guards 
will refer to the on-site personnel who are 
available to respond to an incident; 
response force is a more general term 
meant to include all security response 
personnel who may be involved in the 
response at a particular facility, both on- 
site and off-site. 

Response may be broken into two major 
categories — immediate on-site response 
(timely response) and after-the-fact re- 
covery. Depending on the needs and 
objectives of a facility, it is prudent to 
decide in advance which type of response 
will be used at the site under various 



conditions. Protection of different targets 
may require different response plans. For 
example, stopping an intruder about to 
sabotage a critical valve in a refinery may 
require an immediate on-site response, 
while recovery may be a better technique 
for theft of low-value company property. 
For a recovery-based response, the use of 
videotape for after-the-fact review can be 
very effective and legally acceptable. It 
should be apparent that timely response 
will require better detection and delay 
than a response strategy that focuses on 
recovery of the asset. A recovery strategy 
may not be acceptable for all assets. For 
example, recovery of stolen documents 
or information may not be meaningful, 
because the thief may already have copied 
or distributed the information. In a like 
manner, once an incident of workplace 
violence has occurred, the capture of 
the perpetrator is commendable, but 
there is still the aftermath of the event 
to consider. This aftermath may include 
legal action by the victim or the victim's 
family against the facility, bad pub- 
licity for the facility, poor employee 
morale, and regulatory action against 
the facility. 



223 



224 



Design Physical Protection System 



Because of the wide variety of response 
force personnel that can exist, it is diffi- 
cult to provide information concerning 
the specific procedures or tasks that the 
response force may be expected to 
perform. Depending on the threat, conse- 
quence of loss of the asset, and the par- 
ticular facility, the response force must 
either prevent adversaries from accom- 
plishing their objective or work to recover 
the asset. Recovery efforts may include 
investigation of the incident to find the 
culprit, filing insurance claims, or pursuit 
of the adversary immediately after the 
incident. Specific task assignments to 
accomplish these functions will be 
reflected in variations of qualification 
standards, training requirements, and 
performance standards as measured by 
realistic tests, governed by policies and 
procedures at the facility. In this chapter, 
the PPS function of response has been 
divided into four parts — general con- 
siderations, contingency planning, com- 
munication, and interruption. 

General Considerations 

Staffing of the response force is funda- 
mental to the performance of the response 
function. Proprietary guard forces are 
those in which the members are direct 
employees of the facility. Contract ser- 
vices also exist for facilities that prefer to 
contract this service out to others. There 
is considerable debate as to which of these 
two options is best at a facility (Fischer 
and Green, 1998). It is likely that the 
answer will depend on the goals and 
objectives of each corporation and facility. 
Facility size, assets, location, cost, and 
other factors may favor use of one system 
over the other. Many facilities use a com- 
bination of the two, which can provide 
flexibility. Hertig (1999) has written a 
paper discussing the considerations of 
contract versus proprietary forces. In 
addition to the use of contract and pro- 
prietary guards, some facilities also hire 



members of local law enforcement to help 
at night or at periods of heavy demand, 
such as morning or evening rush hours. 
Use of local law enforcement officers is 
appealing because these officers have the 
legal authority to arrest or detain suspects 
and to use appropriate force. It is impor- 
tant to reiterate at this time that people 
make bad detectors, so the investment in 
guards may not be effective if the PPS is 
heavily dependent on guards for this 
function. A more cost-effective solution 
would be to reduce the number of guards 
and add technology to supplement guard 
duties. This will provide better PPS per- 
formance at a lower cost than the addition 
of more people. 

Regardless of which type of guard force 
is used at a facility, the key to effective 
guard use is training. Hiring contract 
forces may reduce costs, but does not 
absolve the hiring facility from responsi- 
bility for their actions. For this reason, it 
is important to provide training at the 
facility or to incorporate training expec- 
tations into the terms of the contract with 
the vendor. 

The details of the legal issues that are 
associated with guards and the response 
force are too numerous and complex to be 
dealt with at any length in this text. These 
issues, however, generally fall into cate- 
gories of civil and criminal law and lia- 
bility. Under civil law, intentional torts 
such as assault, battery, false arrest and 
imprisonment, defamation, invasion of 
privacy, malicious prosecution, and negli- 
gence are common. Criminal law is perti- 
nent when dealing with trespassers, 
illegal drug use, sexual assault, receiving 
stolen property, and fraud. In these cases, 
the guard force may need to collect evi- 
dence to present to law enforcement offi- 
cers for further legal action. Another area 
of law that has application is labor law. 
Labor law addresses issues such as wrong- 
ful termination, activities by labor unions, 
and strike surveillance. Consideration of 
these legal issues and others is required to 
protect the corporation and its employees 
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from legal action. Because each state has 
different laws concerning these various 
elements, it is recommended that local 
law enforcement or attorneys be con- 
sulted for guidance in establishing pro- 
cedures. Hertig (1999) has written an 
excellent overview of legal issues and 
the security function. In addition, some 
actions, such as kidnapping, require 
notification of federal agencies, which 
will then have legal jurisdiction. This 
principle also applies to bombings at 
private facilities or attacks on government 
property. 

Contingency Planning 

Contingency planning is an important 
part of a facility's ability to successfully 
resolve an incident. Prior planning will 
help a facility manager identify potential 
targets, respond to different threats, inter- 
act with outside agencies, and determine 
what level of force guards can use in 
various situations. Well-documented pro- 
cedures should be developed in ad- 
vance as a major part of contingency 
planning. 

A critical part of the design and analy- 
sis process of a PPS is the identification of 
assets. This was covered completely in 
the previous chapter on target identifica- 
tion. Once assets are identified at a facil- 
ity, the security manager can evaluate the 
likely routes an adversary may use to 
approach the facility boundary and the 
specific asset. This information will assist 
managers in developing detailed tactical 
plans to address various threats to the 
facility. In addition, it will be useful in 
determining guard patrol routes and 
schedules. Based on the adversary goal 
and the consequence of loss of the asset, 
different response force strategies will 
be used. These strategies include contain- 
ment, denial, and, occasionally, assault. 

Containment is the strategy used 
against an adversary with theft as their 
goal. This refers to the ability of the 



guards and the response force to prevent 
the adversary from leaving the site with 
the stolen asset. A denial strategy is used 
when the adversary goal is sabotage or 
violent attack. In this case, the guards or 
response force must prevent the adversary 
from completing the task of sabotaging 
equipment or carrying out the violent 
attack on another person. It should be 
apparent that in order for a denial strategy 
to be successful, the response force must 
be present at the location and time of the 
sabotage or attack. A containment strat- 
egy for a sabotage goal does no good, be- 
cause the response will come after the 
sabotage event has been completed. On 
occasion, the response force may need to 
use force to overcome an adversary. This 
is most common in hostage incidents or 
when dealing with mentally unstable 
individuals. 

Tactical planning should also be part of 
contingency planning in general. Proce- 
dures and plans for guard actions in the 
event of an adversary attack should be 
well established. The chain of command 
and the succession of command in case of 
emergency should be well known. Plans 
must be made to ensure that members of 
the response force possess or have rapid 
access to the proper equipment consistent 
with the defined threat. Tactical plans 
must contain specific details for the 
response force to deploy successfully. 
Response strategies of containment, 
denial, and assault must be well 
planned and practiced. 

The role of the guard force should also 
be factored into the facility contingency 
plan. A guard force whose key role is the 
containment of adversaries until addi- 
tional help arrives will deploy differently 
than a guard force capable of recovery 
operations. It is possible that there will 
be two sets of guards at a facility: one 
group checking credentials, patrolling, 
and serving the deterrence/delay role, and 
another, more highly skilled group with 
primary responsibility for response to a 
malevolent event. 
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Security personnel, due to their access 
and familiarity with a facility, are a nat- 
ural choice for assistance under abnormal 
conditions at a site. The facility may ask 
security personnel to help in the event of 
a natural disaster, bad weather, or acci- 
dent. These services are reasonable but 
should not compromise the protection of 
assets at the facility. Procedures should be 
determined in advance with facility safety 
personnel, management, legal counsel, 
local law enforcement, and other public 
safety agencies. These procedures should 
be documented and included in guard 
training. Part-time peace officers working 
at the facility should also be knowledge- 
able of these procedures and of any 
hazards that exist at the facility. These 
procedures do not need to be specific to 
each abnormal condition, but can be 
used as applicable. For example, in case 
of bad weather, the procedure may require 
early arrival of facility maintenance per- 
sonnel to place rugs at doorways to 
prevent slipping or other site-preparation 
measures, such as snow removal. The pro- 
cedure may also include notification to 
employees of a delayed work schedule 
announced via local radio, employee 
voicemail, or through a hotline. The guard 
force should be aware of these procedures 
and understand their role at these times. 
In the event of a power failure or a fire, 
security personnel may be used to assist 
in evacuation of buildings and crowd 
control until the all-clear signal is issued 
or another determination made. These 
procedural elements can then be applied 
as needed for a particular emergency. The 
security manager alone cannot create 
these procedures; rather, they must repre- 
sent a cross-section of input from various 
components of the facility. 

In addition, natural or man-made disas- 
ters that cause business at the facility to 
cease may also require the help of the 
security organization. If the stoppage is 
due to an adversary attack, the company 
must have processes and procedures in 
place to resume operation as soon as 



possible, while still collecting and pre- 
serving evidence. In the event of an abnor- 
mal incident, use of daily operational 
procedures, such as daily backup of com- 
puter files or storage of backup records at 
an off-site location, may reduce the effect 
of a catastrophic event. The security orga- 
nization can play a role in assisting the 
facility to get back to normal operation 
after an abnormal event, and certainly 
will be involved in the investigation of 
any malevolent events and their after- 
math. Abnormal conditions may reveal 
weaknesses in the security protection at a 
facility and provide an opportunity to 
improve asset protection. 

Security managers should consider 
using support from outside agencies as 
they do their contingency planning. A 
facility may create support agreements 
with local or state law enforcement agen- 
cies or mutual aid agreements with other 
local sites. To facilitate this, a written 
support agreement with outside agencies 
or sites should be developed. This written 
agreement should detail the interaction 
between guards and these agencies. The 
agreement should be developed with 
input from all participants affected by the 
agreement and approved by each organi- 
zation. Issues such as the outside agency's 
role in an incident, off-site pursuit by 
guards, and communication should be 
considered. The roles of outside agencies 
should be well defined and communi- 
cated among all participants. Security 
managers may also consider use of other 
agencies for recovery support. These de- 
cisions will need to be based on the 
agency's response time, training, equip- 
ment, and availability to support the facil- 
ity. In addition, security managers may 
decide to provide their guards with off- 
site credentials and authority to facilitate 
the response force's ability to operate 
outside of the facility's boundaries. This 
may be an important consideration during 
deployment or pursuit. 

Communication will be a key factor in 
the interaction between facility personnel 
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and other agencies. Since different agen- 
cies may not operate on the same radio 
frequency, the security manager will need 
to evaluate alternate means of communi- 
cation during abnormal or malevolent 
conditions. A dedicated landline may 
be used for initial notification to outside 
agencies, and preplanned routes and 
containment positions may help resolve 
on-scene communications concerns. 

Joint Training Exercises 

A critical factor that will influence the 
ability for a neighboring agency to suc- 
cessfully support a facility is joint train- 
ing. The facility security manager should 
plan and conduct periodic training exer- 
cises with outside agencies that provide 
response support. The scope of this train- 
ing will be dictated by the agency's 
support role. If the outside agency will act 
primarily in a containment capacity, then 
primary containment positions and areas 
of responsibility should be practiced. 
However, if the support agency will be 
conducting recapture or rescue opera- 
tions, more detailed training and facility 
knowledge will be required. 

Use of Force 

Different threats may require guards or 
other responders to employ a wide variety 
of force to address any given situation. 
Response force personnel should have the 
ability to apply multiple levels of force to 
stop an adversary's actions. This will 
include the guard's presence as a deter- 
rent or delay, the use of less-than-lethal 
force, and when justified, the use of 
deadly force. The range of force tactics 
available is referred to as the force con- 
tinuum. The force continuum begins with 
presence of a guard, and progresses 
through verbal commands, use of less- 
than lethal-force, and finally, deadly force. 
The facility should have a written policy 
to provide clear guidelines to guards in 



the use of force. The decision about which 
weapons, if any, to be issued to the guard 
force should be in alignment with the 
threats to the facility. 

A use of force policy should be based 
on using the minimum amount of force 
necessary to stop an adversary's actions 
under varying but expected conditions. 
Typically the amount of force used will be 
dictated by the adversary's actions. For 
example, an unarmed adversary who is 
refusing to follow the instructions of a 
guard but does not present any other 
threat should be handled with less force 
than an adversary who is armed and 
posing a threat to the facility or guards. 
This type of policy will typically require 
guards to have the ability to employ less- 
than-lethal force weapons such as impact 
(baton) or chemical (mace) weapons. 

The use of armed guards at a facility 
must carefully balance the value of the 
asset with the additional legal liability 
and training costs that will arise. Armed 
guards are used at banks, armored car 
companies, private facilities located in 
high-crime areas, large shopping malls, 
and large industrial complexes with mul- 
tiple high-value assets. The use of armed 
guards at a location will be determined by 
the design basis threat to the facility. 
Armed response is usually left to local 
law enforcement, but if an armed threat is 
expected, guards may be required to carry 
guns. Facility guards must still receive 
training in interaction with local law 
enforcement, in when to call for assis- 
tance, and in proper use of whatever force 
is authorized at the facility. 



Training 

After developing a use-of-force policy, 
supervisors should provide response 
force personnel with training to ensure 
that all personnel are well versed in the 
policy and use of their weapons. Man- 
agers should consider semi-annual or 
quarterly training and qualifications to 
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ensure that their personnel are capable of 
successful application of the facility's 
policy and weapons. Documentation of all 
training records will be useful in the event 
of any legal challenges or post-incident 
reviews. 

When designing a training program, it 
is important to consult the facility secu- 
rity manager and the PPS designer. The 
facility security manager is most familiar 
with the functional performance and task 
requirements of guards. The manager is 
also responsible for a separate training 
agenda that deals with policies, proce- 
dures, and basic training not specific to 
system operation, such as arrest powers, 
use of force, and communications. The 
designer is most familiar with the opera- 
tions and limitations of the PPS equip- 
ment and the other PPS functions of 
detection and delay. From the designer's 
point of view, the objectives of training are 
to maximize the ability of the response 
force to use the PPS in carrying out its 
basic mission, which is protection of the 
assets of the facility. The training program 
at a facility should explain corporate poli- 
cies and procedures and their relationship 
to legal and operational aspects of the pro- 
tection system. At a minimum, a review 
of legal do's and don'ts, as well as train- 
ing in interpersonal contact, use of the 
force continuum, and incident reporting 
should be included. Because each state 
requires varying degrees of training for 
security guards, careful consideration of 
state requirements and facility objectives 
will be required to construct a suitable 
training program at a particular facility. 
Thibodeau (1999) and Baker (1999) have 
written excellent articles on guard train- 
ing programs. 

Communication 

Communication is a vital part of the 
response function. The proper perfor- 
mance of all other system functions 
depends on communication. Information 



must be transferred through this network 
with both speed and reliability. Com- 
munication to the response force must 
contain information about adversary ac- 
tions and instructions for deployment. 
The effectiveness measures for response 
communication are the probability of 
accurate communication and the time 
required to communicate to the response 
force. The communication network in- 
cludes voice and other systems that 
allow guards and response forces to com- 
municate with each other. The successful 
operation of a PPS requires a reliable 
response force communication network 
that is resistant to being used to the 
advantage of knowledgeable and deter- 
mined adversaries, as established by the 
design basis threat. 



Normal Use 

The most common system used to main- 
tain effective control and coordination of 
the guard force at a facility consists of 
low-power, battery-operated, handheld 
radios. These radios are small, lightweight 
devices that allow rapid reporting of con- 
ditions found during routine patrols and 
enable rapid deployment of the response 
force during security events. A typical 
radio operates on any one of two to six fre- 
quencies or channels. The maximum 
range for reliable communication between 
two radios is 1 to 3 miles. More powerful 
transmitters and better receivers can be 
used at security headquarters and in se- 
curity vehicles. These units can allow re- 
liable communication up to ranges in 
excess of 12 miles. 

In most cases, the radio systems used 
for response force communications are 
conventional, narrow-band, frequency 
modulation (FM), clear-voice radio sys- 
tems. In this context, clear voice means 
that no attempt has been made to encode 
or scramble voice transmissions. As a 
result, effective eavesdropping is possible 
on- or off-site by an adversary possessing 
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a receiver that can be tuned to the same 
frequency. Depending on the site configu- 
ration, its area, and on-site building con- 
struction, these systems can suffer from 
deficiencies common to RF communica- 
tion systems. 

The biggest deficiency of this system is 
the inadequate range of handheld radios. 
Higher output power from the handheld 
units, use of RF repeaters across a site, or 
a multiple-receiver system can minimize 
this deficiency. An RF repeater receives 
voice transmissions from the handheld 
units and transmits them again on a sep- 
arate frequency to all other units within 
the system. By placing the repeater at a 
high location, the range of the radios 
increases. A multiple receiver system con- 
sists of several remotely located receivers 
connected to the central monitoring 
station by a landline. A microcomputer 
monitors the signals received by all mul- 
tiple receivers and transfers the informa- 
tion to the central station from the remote 
receiver receiving the strongest signal. 

Conventional radio systems have 
several advantages including simplicity, 
ease of operation, efficiency, and low cost. 
If proper transmission procedures are fol- 
lowed and strict communication network 
discipline observed, routine communica- 
tions using these systems is very clear, 
and routine daily business can be con- 
ducted efficiently. 



Eavesdropping and Deception 

Although conventional radio systems are 
generally adequate for routine communi- 
cations at most facilities, transmissions 
within the security network should resist 
threats from intelligent and resource- 
ful adversaries. Conventional clear-voice 
radio systems have some serious disad- 
vantages. Adversaries possessing only a 
conventional receiver, which can be 
tuned to the proper frequency, can easily 
monitor conventional transmissions at 
locations remote from the site. Even if the 



frequency is unknown, scanners can auto- 
matically search and determine the fre- 
quency in use. When using a conventional 
radio system, it should be assumed that 
adversaries are eavesdropping on trans- 
missions. Security personnel should de- 
termine what information is released 
during routine operations and how an 
adversary might use that information. 
Even information released during training 
exercises might be extremely valuable to 
an adversary. Conventional radio commu- 
nications should be limited to only those 
transmissions that are absolutely neces- 
sary and that cannot be communicated by 
more secure methods, such as telephones 
and intercoms. Use of cellular telephones 
should be avoided, due to the ease of 
adversary interception of the signal. 
Depending on the threat to a facility, 
conventional radios may be sufficient 
for guard communication. 

Similarly, an adversary needs only a 
transmitter tuned to the operating fre- 
quency to transmit deceptive messages. 
An adversary might use deceptive mes- 
sages during a facility assault in an 
attempt to confuse members of the 
response force. Voice-private radios that 
make a network resistant to eavesdrop- 
ping will also make it resistant to the 
transmission of deceptive messages. If an 
adversary cannot understand a message 
because it has been scrambled or digital- 
ly encrypted, they will probably not pos- 
sess the means to transmit a deceptive 
message in the appropriate format. 

Several procedural options can also 
improve network resistance to eavesdrop- 
ping and deception. One of the most effec- 
tive procedures relies on the use of more 
secure transmission media, such as tele- 
phones and intercoms. To help protect 
against deceptive messages, it can be 
useful to use some type of authentication 
code. An authentication code is known 
only to members of the response force and 
can verify that a critical or questionable 
transmission was indeed made by a 
member of the force. This is a simple and 
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low-cost method to increase secure com- 
munications at a facility. An example of 
an authentication code table is shown in 
Figure 12.1. 

Many technologies and systems provide 
varying degrees of voice privacy. Greater 
security generally means sacrificing other 
desirable operational characteristics. The 
level of security is related to complexity, 
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Figure 12.1 Authentication Code Table. 
The intersection of a column and row 
provides an authentication code for use 
prior to radio transmission. For example, 
position B2 would yield MW as the 
authentication code. The column and row 
identifiers may be changed each day or 
shift to increase uncertainty for an 
adversary 



cost, message intelligibility, and commu- 
nications range for several voice-private 
techniques, as shown in Figure 12.2. As a 
system becomes more secure, it will also 
become more complex, cost more, and 
have more noise in the communication 
channel that reduces effective range. 

A final point to consider when using 
voice-private radios is the effect that such 
hardware will have on the communi- 
cation network's resistance to jamming. 
Voice-private radios do not improve a 
network's resistance to jamming — they 
may even make it more susceptible to a 
jamming assault. As more secure voice- 
privacy technologies are used, message 
intelligibility and zone coverage will 
generally become poorer, and message 
survivability during jamming will also 
become poorer, as shown in Figure 12.2. 

Jamming 

Jamming refers to insertion of unwanted 
signals into the frequency channel of a 
communications system for the purpose 
of masking desired signals. RF systems are 
most vulnerable to jamming because the 
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Figure 12.2 Security Level Comparisons. As the scrambling or encryption technique 
becomes more secure, the radio also becomes more complex, more expensive, and more 
vulnerable to distortion in the communications channel. In addition, message surviv- 
ability under jamming conditions is generally poorer in the more secure systems 
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potential attacker can jam the channel 
from a remote location. The adversary can 
obtain the system's operating frequencies 
either by monitoring transmissions or by 
obtaining readily available frequency 
documentation. It then becomes a simple 
matter to begin jamming by tuning a trans- 
mitter to the proper frequency. If the 
jamming signal is of sufficient power, it 
masks the true signal to such an extent 
that effective communication becomes 
severely degraded or destroyed. Jamming 
a single-frequency system that uses hand- 
held radios with 5-watt output power can 
be accomplished by using a similar hand- 
held radio with the same or greater output 
power. 

Developing a communications network 
that is highly resistant to jamming can be 
achieved by maximizing the survivability 
of the radio network, providing alternate 
communication means to supplement the 
radio network, use of spread-spectrum 
radios, and conducting regular jamming 
exercises. 



Survivability of the 
Radio Network 

Personnel training and equipment main- 
tenance can have a significant impact on 
the survivability of a radio channel during 
a jamming assault. Methods of maximiz- 
ing the integrity of the radio network 
combine training, procedures, and equip- 
ment into secure and reliable systems. 
Procedures requiring periodic mainte- 
nance of equipment, particularly batteries 
and antennas, will contribute to system 
effectiveness. Another procedure, the use 
of codes, can also be implemented to aid 
radio communications. The codes replace 
commonly used sentences or phrases, 
such as the commonly used 10-codes in 
law enforcement. Codes make intelli- 
gence-gathering by eavesdropping adver- 
saries more difficult, and coded messages, 
especially digits, are easier to understand 
in the event of jamming. If codes are used, 



they should be used at all times, so they 
are a natural form of communication 
among guards. Trying to use unfamiliar 
codes under the pressures of an adversary 
intrusion will not help the guard force. 
In addition, the use of better equipment 
and additional training on the proper use 
of the equipment, under normal and 
jamming conditions, will accustom guards 
to these operational conditions. 

Any communication network will be 
resistant to radio jamming if alternative 
methods of transferring the desired infor- 
mation are available and can be used in 
an efficient and timely manner. If backups 
to the primary radio links are available, 
their use must be practiced in jamming 
exercises in order to be effective during an 
actual jamming assault. If redundant links 
are available and each has been effectively 
used during exercises, a communications 
network will become increasingly resis- 
tant to jamming. 

A thorough understanding of jamming 
geometry can be very helpful in main- 
taining radio communications during a 
jamming attempt. Network survivability 
improves with high-power units and units 
moved closer together. If the effects of 
jamming geometry are understood, guards 
could relay information that might other- 
wise be jammed. 



Alternate Means of 
Communication 

In the event of successful jamming, 
simply switching to an alternate radio 
channel may be the easiest method of 
reestablishing communication. All radios 
should have a minimum of two channels 
available for use at any time. The method 
of selecting between channels must be 
simple and straightforward. A mini- 
mum of four to six channels is desirable, 
but not always practical. Procedurally, all 
members of the guard force should know 
when to change channels and which 
channel to select. A code that commands 
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a move to a particular alternate security 
channel is most effective. 

In the event of complete and absolute 
jamming of the primary radio channel, it 
may not be possible to transmit the 
command to switch to the backup channel 
on the radio. To overcome this situation, 
other means such as plant public address 
systems, intercoms, or sirens can be used 
to communicate the command. However, 
even if the channel switch is successful, 
the adversary could easily identify the 
alternate channel and resume jamming 
on the new channel. 

If jamming is a threat to facility com- 
munications, lost radio communications 
should be supplemented through the use 
of alternate communication means that 
can effectively relay messages. Some al- 
ternate communication means to con- 
sider include telephones, intercoms, hand 
signals, lights, whistles, or pagers. Many 
of these communication media may al- 
ready be used for other purposes. Using 
these means during normal operations 
creates a network increasingly resistant 
to eavesdropping and deception, as well 
as jamming. If alternate communication 
links are to be effective during a jamming 
assault, they must be practiced during 
regular jamming exercises. 

Thoroughly exercising proposed anti- 
jamming techniques under simulated 
jamming conditions ensures that the tech- 
niques will be beneficial during an actual 
jamming assault. During the confusion 
and stress associated with an assault, 
unfamiliar procedures and equipment can 
only aid the adversary during the attempt 
to interrupt the information flow within 
the communication network. Procedures 
as simple as switching to a backup secu- 
rity channel are not effective until they 
have been practiced several times by all 
members of the response force. 



Duress Alarms 

Duress is an operational situation that 
the response force communication system 



should be capable of handling. Adversary 
action may result in confrontation with 
one or more members of the response 
force. It is desirable to know as early as 
possible that this situation exists. Once 
the response force is aware of the situ- 
ation, a prearranged switch to another 
communication channel might deny the 
adversary further information on response 
force actions. A number of duress systems 
are commercially available and can be 
installed throughout the facility to relay 
duress alarms. These systems are also 
used to allow nonsecurity employees a 
method of signaling for help in certain 
applications, such as airports or prisons. 

Some manufacturers offer handheld 
radios equipped with a button that, when 
pressed, sends an emergency duress 
signal, including unit identification, to 
the central monitoring station. In addition 
to the overtly activated button on the 
radio or a separate duress transmitter, 
other duress signaling options have 
been investigated to some extent. These 
options include covert, deadman, and 
holster switches. 

A covert device allows the user to 
send a duress signal while under direct 
observation by an adversary. Several 
techniques have been examined. One 
technique uses a small, balanced mag- 
netic reed switch in the user's shoe, acti- 
vated by a curling motion of the user's big 
toe. Placement in this location causes a 
significant number of nuisance alarms so 
may not be desirable. The deadman 
option consists of a liquid mercury switch 
firmly attached to a separate duress trans- 
mitter worn on the user's belt. If the user 
falls to the floor or reclines past a certain 
point, the switch closes and sends a 
duress signal. There is some resistance to 
use of this method by guards who may 
have a tendency to fall asleep while on 
duty. The holster option includes a bal- 
anced magnetic reed switch that is 
installed in the bottom of the gun holster 
and activated when the gun is removed. 
This alarm could be activated by the user 
him or herself, or by an adversary remov- 
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ing the user's gun. Of course, this system 
will only be effective when using armed 
guards. 



Spread-Spectrum Systems 

In recent years, communication systems 
that can provide a very high resistance to 
radio jamming in certain applications 
have become available. These systems 
are known as spread-spectrum systems. 
The term spread-spectrum describes 
various techniques that result in trans- 
mission on different bands. Spread-spec- 
trum radios are used in law enforcement 
and at some government facilities. Due to 
their high cost, they may be issued only 
to a limited subset of security personnel, 
guards, or other response force members. 
The spread-spectrum system most appli- 
cable to response force communications is 
the spread-spectrum, frequency-hopping 
system. Frequency-hopping technology 
will be discussed throughout this section. 
With narrow-band FM systems, infor- 
mation is transmitted on a discrete fre- 
quency. The transmitter and the receiver 
must be tuned to and remain on that fre- 



quency while information is transmitted, 
or the information will be lost. The band- 
width of these systems is typically about 
25 kHz. The frequency output from the 
transmitter of a frequency-hopping sys- 
tem spreads it over a frequency band 
10 MHz wide. If a 10-MHz band is used, 
the system could create 400 or more dis- 
crete frequency channels. According to 
the input received by the transmitter from 
a digital code generator, the system could 
then transmit alternately on these fre- 
quencies for short periods of time. The 
digital code generator, synchronized with 
the digital code generator in all receivers, 
determines the order. The dwell time on 
each of these frequency channels is quite 
short, and information transmitted during 
this short period would probably not be 
detectable by conventional receivers. 

This combination of properties forces 
an adversary to jam a large portion of the 
RF spectrum, while synchronized radios 
within the frequency-hopping network 
continue to look for information within 
only that bandwidth required for infor- 
mation transmission. Figure 12.3 shows 
the output spectra of a conventional, 
narrow-band FM system and a spread- 
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Figure 12.3 Jamming of a Conventional Radio Spectrum and a Spread-spectrum Fre- 
quency-Hopping Radio System. In a conventional radio, only one bandwidth must be 
jammed, but in a spread-spectrum system, a series of frequencies must be jammed at 
the proper time 
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spectrum, frequency-hopping system. The 
bandwidth required to transmit the infor- 
mation is labeled with the letter b in both 
figures. The successful jammer must effec- 
tively jam the bandwidth b in the con- 
ventional radio or the bandwidth N x b 
in the spread-spectrum system (where N 
is the total number of hop frequencies, 
or channels, in use). In most commercial 
frequency-hopping systems, N is approx- 
imately 250; but it is as large as 2,000 in 
some systems. The information band- 
width, b, is typically 25 kHz for both 
figures. 

Interruption 

In addition to tactical planning and 
training, it is important for the response 
force to practice deployment at the spe- 
cific facility in exercises so they will 
know what to do in the event of an ad- 
versary intrusion and when a timely 
response is required. Results of good prac- 
tice give realistic estimates of response 
force times. Field exercises should be 
used to verify that tactical training has 
resulted in the desired capability and that 
the overall tactical plan is realistic. In 
order for the response force to plan and 
practice, the threat must be characterized 
in advance. This threat quantification 
should also address whether the adver- 
sary's objective is theft, sabotage, or 
something else. 

One test of guards' proficiency at timely 
response is to determine if they can arrive 
in enough time after notification to inter- 
rupt the adversary. The responders 
require certain skills in addition to speed. 
Skills requiring testing include physical 
fitness, use of force under stress, use of 
intermediate force, tactical movement, 
accurate response communications, asset 
and facility familiarity, and use of PPS fea- 
tures to their advantage. In those cases 
where the guard force is armed, periodic 
proficiency testing in marksmanship will 
also be required. 



Some of these skills can be evaluated 
in simulation courses in the classroom. 
Others, especially the testing of the app- 
lication of the skills, can only take place 
in the facility or something quite similar 
to it. The measure of proficiency being 
tested under engagement simulation exer- 
cises in these circumstances is the 
response force's ability to interrupt an 
attack. For an immediate on-site response, 
the most acceptable level of proficiency is 
the prevention of damage or loss of assets. 

Interruption is defined as the successful 
arrival of the response force at an appro- 
priate location to confront the adversary. 
Although the goal is to capture or detain 
the adversary, interruption in this case 
refers only to arrival. Because most indus- 
trial facilities will not have the option of 
a force-on-force battle, it is assumed that 
arrival of members of the response force 
will effectively end the adversary intru- 
sion. If the adversary is considered to 
be violent, response force actions and 
equipment should align with the threat. 
This requires accurate communication 
with and the effective deployment of the 
response force. 

At facilities where an armed conflict 
between the response force and adver- 
saries is expected, force-on-force training 
exercises must also be conducted. This set 
of actions is termed neutralization and 
is measured by who wins the battle. Due 
to the unlikely need for neutralization 
at industrial facilities, interruption will 
serve as the proper immediate response 
to an adversary attack in this text. 

Deployment describes the actions of the 
response force from the time communica- 
tion is received until the force is in posi- 
tion to neutralize the adversary attack. 
The effectiveness measures of this func- 
tion are the probability of successful 
deployment to the adversary location 
and the time required to deploy the re- 
sponse force. 

Members of the response force must be 
trained in the details and procedures 
established in contingency planning. In 
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addition, they must be trained in tactics 
that increase their chances of successful 
deployment and arriving at the adversary 
location. These tactics include: 

• knowledge of facility security priori- 
ties and vulnerabilities 

• precautions to avoid diversion 

• proper movement in and around 
buildings 

• proper nighttime response 

• proper deployment from a vehicle 

• how to work as a response team 
member 



Procedures 

In addition to the training and response 
procedures already described, procedures 
regarding normal operations should also 
exist for on-site guards and off-site 
response personnel. Aside from logistical 
issues such as shift scheduling and cov- 
erage, key control, guard patrol routes, 
post orders, and incident reporting pro- 
cedures are all parts of an effective 
response system. Depending on the oper- 
ating hours at a facility, and the threat and 
assets to be protected, on-site guards may 
be required around the clock or less often. 
If the assets to be protected are low-con- 
sequence loss items, on-site guards may 
only be required during normal business 
hours. At larger more complex facilities 
with 24-hour operations, on-site guards, 
perhaps in reduced numbers for off-shifts, 
may be necessary. The number of guards 
required to protect a facility will depend 
on the number of shifts, the number of 
guards required per shift, the tasks that 
guards are expected to perform as part of 
normal operations, the number of guards 
needed to respond to a malevolent threat, 
and the response strategy at the facility. 
Guards may be located in fixed positions, 
on continuous patrol on foot or by 
vehicle, or in a combination of the two. 
Variations in personnel availability due to 
sickness, vacations, or company-required 



training must be incorporated into shift 
scheduling. 

At many facilities the issue of key 
control presents a major problem to the 
security force. As a general guideline, the 
number of keys issued should be limited, 
and procedures concerning key-copying, 
return of keys at the end of a shift or upon 
termination of employment, and periodic 
re-keying of locks should be considered. 
Related details to key control were dis- 
cussed in Chapter 10, "Entry Control." An 
additional procedure that should be 
incorporated into key control is the use of 
on-site guards to unlock doors for employ- 
ees during normal or off-hours, rather 
than issuing keys to all employees. Proce- 
dures detailing the telephone number for 
employees to call for assistance and the 
proper method of validating employee 
access, particularly during off-hours, 
should exist. This will help limit the 
number of keys issued and provide on-site 
guards with another opportunity to 
collect information about keys and opera- 
tional status across the facility. For 
example, if a door is supposed to be 
unlocked each morning at 7:00 A.M. and 
it isn't one morning, a report should be 
generated to look into the reason for the 
oversight. After-hours access may be 
limited to only certain manned doors or 
gates and may require supervisor or 
manager advance authorization. In this 
case, security guards must be notified of 
this authorization. In those cases where 
automated personnel entry control is 
used, these issues are addressed through 
the use of access control rules within the 
system software. 

During each guard shift, post orders, 
which are the procedures that guards 
are required to comply with while on 
duty, should be available at each guard 
station. These orders generally cover 
activities such as guard tour frequency 
and reporting, notification lists and phone 
numbers in case of a malevolent attack or 
abnormal event, and any other special 
instructions. Post orders will also nor- 
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mally detail the format and information 
required for a guard to provide when 
reporting an incident, notifying other 
security personnel of a need for main- 
tenance on a protection system element, 
or other noteworthy events. Blank forms 
for this purpose are often provided to 
facilitate this process. 

Summary 

This chapter discusses the PPS function 
of response in terms of general issues, 
contingency planning, communication, 
and interruption. Contingency planning 
includes tactical planning, interaction 
with outside agencies, the facility's use of 
force policy, and additional duties of the 
guard force. The importance of relating 
the strategy of the response force to assets 
and potential adversary actions is dis- 
cussed. Several issues associated with 
interacting with outside agencies and 
the need for joint training exercises are 
emphasized. These include establishing 
radio frequencies for communication, off- 
site pursuit tactics and permissions, roles 
and responsibilities for each cooperating 
group, and the chain of command during 
a response action. A written use of force 
policy and training in the application of 
this policy is also essential. Additional 
procedures describing guard force daily 
operations, such as guard force assistance 
during safety events or bad weather at a 
facility, after hours access and post orders, 
are also presented. 

Depending on the threat, the successful 
operation of a PPS may require a reliable 
response force communication network 
resistant to eavesdropping, deception, 
and jamming. Voice private radios can 
improve a network's resistance to eaves- 
dropping and deception and are desirable 
during both normal and emergency oper- 
ations. Digitally encrypted radio trans- 
missions tend to be more secure than 
analog transmissions, but are also more 



expensive. The use of various scram- 
bling techniques can create additional 
operational problems. Most voice-private 
radios tend to make a network more 
susceptible to jamming unless other pre- 
cautions are taken. Development of 
procedures requiring proper mainte- 
nance of equipment, training in equip- 
ment use and communications, and use of 
alternate communication media are valu- 
able jam-resistant techniques. Spread- 
spectrum radios that provide resistance to 
jamming may be considered by facility 
security managers, if warranted by the 
design basis threat. 

The elements of interruption are also 
discussed. The importance of a well- 
trained response force arriving at the 
appropriate location in a timely man- 
ner when an immediate on-site response 
is required cannot be overemphasized. 
Careful planning, training, and testing of 
response force capabilities is necessary. 
Practicing functional response skills on 
the job is analogous to maintenance and 
operational practice concerning equip- 
ment. As with equipment design, evalua- 
tion of human performance in carrying 
out PPS tasks is a necessary step in 
assuring that the total PPS — equipment 
together with people and procedures — 
is able to achieve its performance goal. 

An important consideration in all 
response elements is the need for train- 
ing. Facility security managers should 
not underestimate the value of training 
in all areas of the response system. This 
includes joint exercises with support 
agencies, facility contingency plans, re- 
sponse force deployment, recapture opera- 
tions, use-of-force policies, and weapons 
and equipment proficiency training. 
The effectiveness of the response 
force should be periodically evaluated 
by limited scope performance drills 
and written examination. 

This chapter concludes Part Two of the 
process of PPS design and evaluation. At 
this point, PPS objectives and design tools 
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and considerations have been reviewed. 
The final piece of the process — analysis 
and evaluation — will be addressed in Part 
Three. 

Security Principles 

Contingency planning forms the basis of 
an effective response force. This includes 
corporate policies and procedures, train- 
ing, determination of response force tac- 
tics, use of force, and normal operating 
procedures. 

Response to a malevolent event can be 
immediate, requiring a response force 
capable of timely response, or after-the- 
fact recovery, which is accomplished 
through a greater range of activities. 

Response force strategies include con- 
tainment, denial, and assault. 

A vital element of response force effec- 
tiveness is communication. 

The measures of response force 
effectiveness include response force time 
for interruption and probability of 
communication. 

Interruption describes arrival of the 
response force at the appropriate location. 
It is assumed that for an immediate on-site 
response, arrival will cause the adversary 
to surrender or abandon the intrusion. 
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Questions 

1. Discuss the following application 
considerations: 

a) A secure radio frequency 
should be dedicated to security 
operations. 

b) Purchased weapons should be 
appropriate for the facility. 

c) Guard and response force per- 
sonnel should be well trained 
for deployment and use of 
weapons. 

d) Open communication and 
understanding between facility 
management, security manage- 
ment, and the response force 
regarding vulnerabilities and 
realistic response capabilities 
should not be inhibited. 

e) Response strategy should 
include a sufficient number 

of guards in the response force 
and should not assume un- 
realistic or nonexistent 
containment capabilities. 

2. In addition to training in corporate 
policies and procedures in use of 
force and radio communications, 
what additional training might be 
beneficial for members of the 
response force? 
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5. 



What are some of the individual 
factors that affect response force 
performance? 

What is the most important aspect of 
the response function? 
What is the difference between tac- 
tical training and tactical practice? 



6. What might be some general rules 
for determining the size of a guard 
force? 

7. What outside agencies might be part 
of a response force at a particular 
facility? 
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After the PPS objectives have been estab- 
lished and a new or upgraded design 
has been developed, it is necessary to 
analyze the effectiveness of the design in 
meeting the objectives. This analysis can 
take one of two forms — quantitative 
or qualitative. A rigorous quantitative 
analysis is required for protection of 
assets with unacceptably high conse- 
quence of loss, even if the probability of 
an adversary attack is low. This is a char- 
acteristic of high-security systems found 
at commercial nuclear power plants, 
prisons, and some government or military 
installations. This approach can also be 
applied carefully to museums, refineries, 
utilities, airports, telecommunications 
hubs, and large industrial complexes. 
In each of these cases the loss of or 
damage to at least some of the assets can 
have high consequences — loss of many 
lives, loss of an irreplaceable piece of 
culture or history, damage to the environ- 
ment, or compromise of our national 
security. The response strategy applied to 
these assets is usually an immediate on- 
site response. For a quantitative analysis 
to be justified the asset must require this 
level of protection, and performance 



measures for system components must be 
available. 

A qualitative analysis is more suitable 
when evaluating lower-security applica- 
tions. These facilities will have lower con- 
sequence loss assets and so will be better 
able to withstand loss or damage of an 
asset. Some examples might include retail 
stores, apartment buildings, small busi- 
nesses, and restaurants. Some facilities 
will have a mix of assets, so the PPS 
designer must balance resources appro- 
priately to provide the most protection to 
critical assets, and lower protection to 
other assets. In addition, each facility may 
have other constraints that can strongly 
influence the protection system design. 
For example, although school shootings 
are tragic and emotionally devastating, 
there is little movement to turn schools 
into armed camps with many layers of 
security around them. Designing and 
implementing an effective system are very 
dependent on the goals and constraints of 
a facility, which is why determining 
objectives is such a vital step in the 
process. 

Analysis of the PPS will establish the 
assumptions under which a design was 
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formed, relate system performance to 
threats and assets, and allow a cost-benefit 
decision to be made. Whether a qualita- 
tive or quantitative analysis is used, 
proper application of the system concepts 
and principles described in the previous 
chapters will assure the effective protec- 
tion of assets at a facility. This chapter 
will provide an introduction to the analy- 
sis process. Chapter 14, "EASI Computer 
Model for Analysis," will describe the use 
of a particular model to predict system 
performance through the use of an 
analysis tool. 

A PPS is a complex configuration of 
detection, delay, and response elements 
that can be analyzed to determine 
system effectiveness. The analysis will 
identify system deficiencies, help eval- 
uate improvements, and enable cost- 
versus-effectiveness comparisons. These 
techniques can be used for evaluating 
either an existing protection system or a 
proposed system design. There are several 
reasons for reevaluating an existing pro- 
tection system. It is essential that the 
system design be reviewed and updated 
from time to time to incorporate advances 
made in the state of the art in physical 
protection hardware and systems or to 
accommodate the introduction of new 
processes, functions, or assets within a 
facility. Further, the design of a PPS for a 
specific facility is expected to vary over 
time when prevailing circumstances indi- 
cate a need for a different level of physi- 
cal protection. A good example of this is 
the escalation of threat to a facility. Only 
by conducting periodic reanalysis can the 
effect of these changing conditions be 
seen and quantified. 

Adversary Paths 

The analysis and evaluation principles 
and models used in this text are based on 
the existence of adversary paths to an 
asset. An adversary path is an ordered 
series of actions against a facility, which, 
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Figure 13.1 One Sabotage Path to a Criti- 
cal Pump in a High-Security Facility. 
Multiple layers of protection must be 
breached in order for the adversary to be 
successful 



if completed, results in successful theft, 
sabotage, or other malevolent outcome. 
Figure 13.1 illustrates a single sabotage 
path of an adversary who wishes to 
destroy a pump in an industrial facility. 
Protection elements along the path detect 
and delay the adversary. Detection 
includes not only sensor activation but 
also alarm communication and assess- 
ment. Figure 13.2 describes the security 
elements along this path. 

As described in previous chapters, 
the protection system design starts with 
threat definition and target asset identifi- 
cation, and detection, delay, and response 
elements are specific to the protection 
objectives and characteristics of the facil- 
ity. The performance measures previously 
described for these protection elements 
are used in path analysis to determine 
system effectiveness. These performance 
measures include the probability of detec- 
tion, delay times, response force time, 
and probability of communication. At 
most facilities, many adversary paths to 
each asset are possible; therefore, the 
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Figure 13.2 The Security Elements along the Sabotage Path. Each element can have 
detection and delay components 
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Figure 13.3 Minimum Time as a Measure of PPS Effectiveness. For the system to be effec- 
tive, guard response time, T G , must be less than the minimum time delay along the path, 
Tmi N . Arrows relate to the tasks of Figure 13.1 



identification and evaluation of adversary 
paths are usually complex processes that 
can be facilitated through the use of com- 
puter models, as described in Chapter 14, 
"EASI Computer Model for Analysis." 

Effectiveness Measures 

The goal of an adversary is to complete a 
path to an asset with the least likelihood 
of being stopped by the PPS or, con- 
versely, the highest likelihood of suc- 
cessful attack. To achieve this goal, the 
adversary may attempt to minimize the 
time required to complete the path. This 
strategy involves penetrating barriers 
as quickly as possible with little regard 
to the probability of being detected. An 
example of this adversary tactic is a force 
attack. The adversary is successful if the 



path is completed before guards can 
respond. Alternatively, the adversary may 
attempt to minimize detection with little 
regard to the time required. This adver- 
sary tactic is based on a stealth attack. In 
this case, the adversary is successful upon 
completion of the path without being 
detected. 

Recognizing these two extremes of 
adversary action, effectiveness measures 
are available to assess system perfor- 
mance. One measure of PPS effectiveness 
is the comparison of the minimum cumu- 
lative time delay along the path (T M in) 
compared to guard response time (T G ). An 
adequate PPS provides enough delay for 
guards to respond. Figure 13.3 illustrates 
minimum time as a measure of system 
effectiveness. For an effective system, T G 
must be less than T MIN . System improve- 
ments are achieved by decreasing T G or by 
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Figure 13.4 Cumulative Probability of Detection as an Effectiveness Measure. P MIN must 
be an acceptable value, but there is no consideration of delay along the path. Arrows 
relate to the tasks of Figure 13.1 



adding protection elements with more 
delay to increase T MIN . The disadvantage 
of this measure is that no consideration of 
detection is involved. Delay without prior 
detection is not meaningful because the 
response force must be alerted in order to 
respond and interrupt the adversary. 
Therefore, minimum time is often not the 
best measure of system effectiveness. 

Another measure of effectiveness is the 
cumulative probability of detecting the 
adversary before the goal is achieved. An 
adequate protection system provides 
high probability of detection. Figure 13.4 
illustrates the effectiveness measure of 
cumulative probability of detection. For 
an effective system cumulative detection 
probability along path, P MIN , must be an 
acceptable value. The disadvantage of this 
measure is that no consideration of delay 
is involved. Detection without sufficient 
subsequent delay is not effective because 
the response force may not have sufficient 
time to interrupt the adversary. 

Due to the deficiencies of each of these 
measures, neither delay time nor cumula- 
tive probability of detection alone is the 
best measure of system effectiveness. A 
better measure of effectiveness is timely 
detection, which combines P M in. T min , and 
T G . The principle of timely detection 
states that system effectiveness is mea- 
sured by the cumulative probability of 
detection at the point where there is still 
enough time remaining for the response 
force to interrupt the adversary. Figure 



13.5 illustrates the principle of timely 
detection. Note that the delay elements 
along the path determine the point by 
which the adversary must be detected. 
That point is where the minimum delay 
along the remaining portion of the path 
(T R ) just exceeds the guard response time 
(T G ) and is referred to as the critical detec- 
tion point (CDP). The probability of inter- 
ruption (P|) is the cumulative probability 
of detection from the start of the path up 
to the CDP, which is the point determined 
by T R . We use P r to represent this value 
to differentiate it from the total cumula- 
tive probability of detection because it 
only considers detection up to the CDP. 
Because Pi represents timely detection, it 
serves as the overall measure of system 
effectiveness. Consistent with the discus- 
sion in the previous chapter on response, 
timely detection considers only detection, 
delay, and guard response time. It does 
not consider any force-on-force engage- 
ment between the response force and 
adversaries. It is unlikely that any indus- 
trial facility will engage in use of lethal 
force against an adversary, so these 
aspects will not be considered in this text. 
In the event that a force-on-force engage- 
ment is expected, additional modeling 
and simulation tools are available to 
predict the outcome of the conflict, which 
is termed neutralization. These tools are 
beyond the scope of this text; however, 
they are used in some high-security 
applications. 
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Figure 13.5 Timely Detection as the Measure of System Effectiveness. This is the cumu- 
lative probability of detecting the adversary at the point where there is still enough time 
remaining for the response force to interrupt the adversary. That point is the critical detec- 
tion point (CDP). We call the cumulative probability of detection P,, which is the measure 
of system effectiveness. Arrows relate to the tasks of Figure 13.1 



Quantitative Analysis 



To calculate P h we make an assumption: 
that the adversary will try to minimize 
detection before the CDP and minimize 
delay after the CDP. For the adversary to 
minimize detection, careful movement is 
required up to the CDP. This careful move- 
ment may include stealth or deceit. After 
the CDP, detection is less effective because 
there is not enough delay remaining for 
the response force to respond. After that 
point, the adversary is assumed to change 
tactics and try to minimize delay. This is 
accomplished by moving as fast as possi- 
ble, with no concern for detection. It is 
important to note that the adversary may 
not choose this attack approach; this is a 
method used to make a conservative esti- 
mate as to system effectiveness. The effec- 
tiveness of the system, then, is somewhat 
dependent on adversary tactics. Adver- 
saries may use combinations of force, 
stealth, and deceit in order to accomplish 
their goals. This is why a well-defined 
design basis threat is so important to 
system effectiveness. The most successful 



adversary is assumed to be knowledgeable 
enough to defeat or bypass detection 
along the path up to the CDP and also 
knows the response force time. 

It is a conservative assumption that the 
adversary will move as quickly as possi- 
ble after the CDP. Adversary tactics that 
do not follow this assumed attack mode 
will increase system effectiveness. For 
example, if the adversary starts to move 
quickly earlier in the path, they will be 
detected sooner so more time is left to 
respond. If the adversary tried to mini- 
mize detection for a longer time (past the 
CDP), this added delay can work with 
remaining detection elements to provide a 
high probability of detection and allow for 
an effective response. Of course, an adver- 
sary who effectively avoids detection up 
to the CDP and then minimizes delay can 
be expected to be successful! This is one 
reason why protection in depth is so 
important. If the adversary is uncertain as 
to where he or she has been detected and 
changes tactics, this change can increase 
the probability of interruption. Alterna- 
tively, by having multiple layers of pro- 
tection around a facility, the chances of 
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Figure 13.6 Timely Detection Baseline Example. Adversary actions along a sabotage path, 
with associated detection and delay elements 



facility success in protection of assets are 
increased. 

In terms of PPS elements, delay time is 
calculated as a sum and probability of 
detection as a product, so we have: 

m k-1 

TR=x Ti>TG pi=i-n p ND, 

Me 

where m is the total number of protection 
system elements along the path; k is the 
point at which T R just exceeds T G ; T; is the 
minimum time delay provided by element 
i; and P ND i is the nondetection probability 
provided by element i (that is, the proba- 
bility that element i will not detect the 
defined adversary), which is the comple- 
ment of P D . For example, a nondetection 
probability of 0.2 means that there is a 
20% probability the adversary will not be 
detected, hence, an 80% probability that 
the adversary will be detected. It is impor- 
tant to note that analysis models use the 
probability of nondetection, while P D 
is the performance measure for detec- 
tion elements. Obviously, the probability 
of nondetection cannot be quantified 
directly. In addition, we assume that 
detection at each element is an indepen- 
dent variable. P| is the probability of 
interruption, or the cumulative proba- 
bility of detection for all elements, as 
described above. 

The following example illustrates the 
concept of timely detection. Consider 
the path in Figure 13.1 and 13.2 again. 
Assume that existing protection system 
elements provide the time delays and 
nondetection probabilities given in Figure 



13.6 and that detection occurs before 
delay. If the guard response time is 90 
seconds, the analyst must find the point 
on the adversary path where the adversary 
is more than 90 seconds away from the 
pump. In this example, that point is at 
the wall. The time remaining on the path 
is 114 seconds after penetration of the 
wall — 30 seconds to destroy the pump 
plus 84 seconds to penetrate the inner 
door. This means that if the adversary is 
not detected at the wall, there will not be 
sufficient time remaining for the guards to 
interrupt this adversary. Because three 
detection elements have been passed, the 
probability of interruption is calculated 
only using those elements. The outer 
fence has no detection element, so its 
probability of nondetection is 1.0. Both 
the outer door and the wall have detection 
elements present that occur before or at 
the CDP This gives the result: 

P, = 1 - (1.0 * 0.9 * 0.7) = 0.37 (cumulative 
probability of detection at CDP) 

T R = 30 + 84 = 114 seconds (delay time 
remaining) 

The analyst must repeat this process for 
many adversary paths, find the most vul- 
nerable path, and decide whether this is a 
satisfactory result. The most vulnerable 
path is the one with the lowest P I# If these 
results are not acceptable, the system 
must be improved. 

In this example, system performance 
can be improved. As shown in Figure 
13.7, delay at the pump has been 
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Figure 13.7 Timely Detection Upgraded Example. Detection has been improved at the 
outer door, delay has been added at the pump, and guard response time has been reduced 
to 40 seconds. The CDP is now located at the pump, thus adding an additional layer of 
detection and delay to the system 



increased to 50 seconds, and detection 
on the outer door has been improved. In 
addition, guard response time has been 
reduced to 40 seconds. As a result of these 
upgrades, the P] has increased to 0.87. 
Close inspection of these upgrades will 
also reveal that the CDP has now shifted 
to the inner door. Because the guard 
response time has been reduced to 40 
seconds, and the delay at the pump 
increased to 50 seconds, the point at 
which T R just exceeds T G (CDP) is now at 
the pump. Aside from the obvious bene- 
fits of increased performance of indi- 
vidual components, these upgrades now 
allow credit for detection at the inner 
door, which was not the case in the 
baseline example. These upgrades were 
achieved through relatively simple 
means. Using sensors with higher P D s will 
increase detection; delay at the pump 
might have been increased by placing 
the pump inside a metal enclosure with 
a lock. Guard response time could be 
decreased by moving guards closer to the 
target, perhaps part of a reallocation of 
available personnel closer to high-value 
assets. Regardless of how the increased 
performance is obtained, analysis of pro- 
posed or necessary upgrades will help the 
designer or analyst to optimize system 
performance. In this example, the up- 
grades added another layer of protection 
to the system. 



Critical Path 



Clearly, there are many adversary paths 
into a facility. The critical path is that path 
with the lowest P^ The critical path char- 
acterizes the effectiveness of the overall 
protection system in detecting, delaying, 
and interrupting the adversary. After a 
preliminary quantitative analysis of a 
facility, consideration of upgrades to 
the facility will be made, starting with 
the most vulnerable paths. The use of the 
principle of balanced protection allocates 
upgrades so that all paths to critical assets 
have approximately the same P^ Balanc- 
ing protection may allow the removal or 
replacement of some protection elements 
on paths that are overprotected compared 
with some other paths. In a similar way, 
paths that are very weak may be strength- 
ened by relocation of protection elements 
from paths that have very high P^. This is 
part of the art of systems analysis. A good 
analyst will be able to propose upgrades 
that meet system protection objectives 
while maximizing the use of available 
funding, equipment, and personnel. 

Note that paths differ depending on 
the adversary objective. Theft implies the 
adversary must get into and out of the 
facility to succeed, while sabotage only 
requires that the adversary get to the asset 
and have time to complete the act of 
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sabotage to be successful. This difference 
is extremely important when performing 
a quantitative analysis, because it will 
determine how much time the response 
force has to interrupt the adversary. 

Qualitative Analysis 

Quantitative analysis is used for assuring 
protection of critical, high-value assets 
where testing data is available, either from 
performance tests run on the PPS or from 
tests run in the laboratory. When one of 
these two aspects is not present — either 
the asset has a lower consequence of loss 
or the data are not available — a qualitative 
analysis can be used. As an example, if an 
asset can be temporarily lost or easily 
replaced, there may be limited value in 
looking in detail at the protection system. 
There may be other assets of high value, 
perhaps a corporate executive, where a 
full quantitative analysis is not per- 
formed, because it would be too disrup- 
tive to rigorously test and validate all 
aspects of security around an executive or 
time is not available to do so. 

During a qualitative analysis probabili- 
ties are assigned a descriptor, such as low, 
medium, or high rather than a numerical 
value. The analyst can create a conversion 
table, like the one shown in Table 13.1, 
that can be used to assign these descrip- 
tors. The assignments are typically based 
on subject-matter expertise rather than 



tests. The table also comes in handy for 
converting any testing data that is used 
during the analysis. 

To calculate the qualitative equivalent 
of P|, the analyst can proceed in two ways. 
The simpler method is to compare sub- 
jective predictions of delay time in the 
system after detection to the response 
force time. If the delay time should easily 
exceed the response force time, assign a 
very high probability of interruption; if 
they are close assign a medium; and so on. 
The detailed method is to develop a time- 
line, like the one described earlier in this 
chapter, and to mentally assign the CDP 
based on where the analyst predicts the 
time remaining just exceeds the response 
force time. The analyst then looks at 
each point of detection up to the CDP 
and assigns a verbal descriptor to each 
location. Probability of interruption is 
then assigned to be the maximum 
descriptor over all detection locations 
up to the CDP. 

Applying this approach to the baseline 
example found in Figure 13.6, the analyst 
would have to predict where the CDP was. 
If the CDP is assumed (correctly) to be the 
wall, then the analyst might assign a VL 
to the first two locations, and an L to the 
third location. The probability of inter- 
ruption would be assigned an L, by taking 
the largest of the three scores. If the 
analyst had incorrectly assigned the CDP 
as the inner door the probability of inter- 
ruption would be assigned as a VH, result- 



Table 13.1 Conversion Table between Verbal Descriptors of Probability and Numerical 
Values. 

This table can be used in a qualitative analysis when there are no performance data to 
support a quantitative analysis or the asset is a lower-consequence target. 



Verbal Descriptor of Probability 

Very Low (VL) 
Low (L) 
Medium (M) 
High (H) 
Very High (VH) 



Equates, Roughly, to the Following Probability 



.1 

.25 

.5 

.75 

.9 
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ing in an incorrect conclusion that the 
pump was well protected. This example 
shows that the result of a qualitative 
analysis depends very heavily on the skill 
of the analyst. 

A qualitative analysis still requires that 
the analyst follow the process of defining 
threats and targets and evaluating system 
performance, but these should be tailored 
to meet the budget and time constraints 
for the analysis. Where security compo- 
nents cannot be tested, a basic under- 
standing of equipment will facilitate good 
design. For example, an understanding of 
the sources of nuisance alarms for interior 
sensors can help the designer predict that 
a PIR will not work well in an application 
where there are too many heat sources. 
This understanding can also be used to 
predict that several microwave sensors 
will work well because nuisance alarm 
sources for these sensors are not present 
and their energy will flood the area. In this 
way, reasonably effective systems can be 
constructed, without demanding the same 
rigor that would be applied in a quantita- 
tive analysis. 

Beyond these aspects, the basic features 
of design using a qualitative analysis are 
the same as design based on quantitative 
analysis. Security principles, such as 
detection before delay, protection-in- 
depth, balanced protection, orientation 
of sensors, consideration of operating 
environment and nuisance alarm rates, 
complementary sensors, camera resolu- 
tion, light-to-dark ratio, proper equip- 
ment installation and maintenance, and 
response force training will still play a 
role in system effectiveness, whatever the 
type of analysis done. The purpose of the 
protection system in either case is still to 
protect the asset. 

Summary 

This chapter describes the concept of 
an adversary path for modeling a PPS 
system. Three possible measures of sys- 
tem effectiveness include delay time, 



cumulative probability of detection, 
and timely detection. Of these measures, 
timely detection is the most important. 
Timely detection is the principle that 
system effectiveness is measured by 
the minimum cumulative probability of 
detection of the adversary at the point 
where there is still enough time remain- 
ing for the response force to interrupt the 
adversary. This chapter also establishes 
the bases for use of quantitative and qual- 
itative analysis. A quantitative analysis is 
appropriate when the asset has an unac- 
ceptably high consequence of loss and 
performance data are available. A qualita- 
tive analysis can be used for lower- 
consequence loss assets or when the rigor 
of a quantitative analysis cannot be 
supported. For a quantitative analysis, an 
immediate on-site response is generally 
necessary, because the response force time 
is part of the overall system effectiveness. 
Performance measures that are used in 
a quantitative analysis include the 
probability of detection, delay times, and 
response force times. Along each path, the 
existence of a critical detection point is 
noted and the relationship between delay 
time remaining on the path and response 
time is compared. 



Security Principles 

Analysis of a protection system uses the 
concept of adversary paths. 

An analysis can be quantitative or 
qualitative. A quantitative analysis is pre- 
ferred for high-value critical assets with a 
high consequence of loss and where an 
immediate response is required. A quali- 
tative analysis can be used for lower 
threats and for lower-consequence loss 
assets. 

Timely detection states that system 
effectiveness is measured by the 
minimum cumulative probability of 
detection of the adversary at the point 
where there is still enough time remain- 
ing for the response force to interrupt the 
adversary. 
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The measure of system effectiveness in 
a quantitative analysis is P I; which is the 
measure of timely detection. 

Questions 

1. Discuss the differences between 
quantitative and qualitative analy- 



sis. What elements of a protection 
system would help to determine 
which type to use? 

2. What is timely detection? 

3. What performance measures are 
used in quantitative analysis? 

4. Describe what we mean by adver- 
sary path, and why this concept is 
useful in protection system analysis? 
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There are many quantitative analytical 
computer models that can help the 
analyst evaluate the effectiveness of a 
PPS. Most of the models follow the same 
basic format. They provide a mechanism 
for entering the input data, performing the 
required computations, and finally dis- 
playing the output. Some are particularly 
good at analyzing the insider threat, while 
others are better suited for outsiders. In 
addition, there are several commercially 
available products that can be used in 
qualitative analysis of a PPS. These tools 
are useful for an initial evaluation of 
protection system needs, and can help 
in designing protection for lower- 
consequence loss assets. Caution should 
be used if applying qualitative tools in 
evaluation of protection systems for high- 
consequence loss assets, because this 
analysis may not adequately predict 
system performance. 

Quantitative Analysis Tools 

Some selected models that have been 
used at Sandia National Laboratories are 
described below. This is not a complete 



list; some of these models have been 
replaced with newer models aided by 
advances in technology, and models are 
continually being developed, but the list 
gives an idea of the types of models that 
have been developed. All of these models 
are based on rigorous and validated 
research and development. 

• ASSESS (Analytic System and Soft- 
ware for Evaluating Safeguards and 
Security) — A state-of-the-art proprie- 
tary model, in use by the DOE, that 
incorporates the insider threat into 
an advanced methodology. The 
output is a ranking of the threat 
paths of a facility. This model also 
analyzes the force-on-force encoun- 
ters between adversaries and secu- 
rity forces and provides a probability 
of defeat. This model incorporates 
the EASI algorithm to predict system 
performance. 

• EASI (Estimate of Adversary Sequ- 
ence Interruption) — A simple, easy- 
to-use method of evaluating PPS 
performance along a specific path 
and under specific conditions of 
threat and system operation. This 
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model computes a probability of in- 
terruption from an analysis of the 
interactions of detection, delay, re- 
sponse, and communication and will 
be discussed in more detail in this 
chapter. 

FESEM (Forcible Entry Safeguards 
Effectiveness Model) — A computer 
model useful for the analysis of a 
fixed site's effectiveness against a 
forcible entry and attack by an adver- 
sary. The model uses a simulation to 
analyze a forced entry along an 
assumed path by an adversary with 
an assumed set of attributes. This 
model is no longer in use and has 
been replaced by EASI. 
ISEM (Insider Safeguards Effective- 
ness Model) — Another model using 
assumed paths and adversary attri- 
butes that simulates a group of insid- 
ers attempting to steal material or 
sabotage a facility. The input data 
relating to the effectiveness of 
the personnel control system, the 
sensors, portal detectors, and guard 
force tactics are very subjective. This 
model is no longer in use and has 
been replaced by EASI. 
SAFE (Safeguards Automated Facil- 
ity Evaluation) — SAFE takes the 
input data relating to the facility, 
the physical protection features, the 
adversary paths, and the response 
force and selects the most vulnerable 
paths through a facility. The model 
then applies EASI along the most 
vulnerable paths and uses BATLE 
(Brief Adversary Threat Loss Esti- 
mator — a force-on-force engagement 
model) to determine the probability 
of neutralization. 

SAVI (System Analysis of Vulnera- 
bility to Intrusion) — This model pro- 
vides a comprehensive analysis of 
all adversary paths into a facility. 
Once data on the threat, target, 
facility, site-specific PPS elements, 
and response force time are entered, 
the SAVI code computes and ranks 



the ten most vulnerable paths for up 
to ten response force times. This 
model uses the EASI algorithm to 
predict system performance. 
• SNAP (Safeguards Network Analy- 
sis Procedure) — SNAP employs 
the network modeling approach 
to problem-solving. It requires the 
analyst to model the facility, the 
guard force, and the adversary force. 
SNAP is highly scenario-dependent 
and uses an assumed attribute 
method to give a measure of the 
PPS effectiveness within a certain 
scenario. For applications in which 
force-on-force battles are not ex- 
pected, EASI is the preferred ana- 
lysis tool. 

Each of these techniques utilizes the 
effectiveness measure of timely detection. 
EASI was selected as the model to demon- 
strate in this text because other more 
complex path analysis tools are based on 
the EASI model. EASI is simple to use, 
easy to change, and it quantitatively illus- 
trates the effect of changing physical pro- 
tection parameters. EASI was developed 
in the 1970s for use on a hand calcula- 
tor (Bennett, 1977). Modified versions for 
use on personal computers now exist 
(Chapman and Harlan, 1985). The most 
commonly used form of EASI is as a 
Microsoft Excel® application. A listing of 
the Excel code that will run on a personal 
computer can be found in Appendix B, 
"EASI Model." In addition, the model is 
available for download at www.bh.com. 
This chapter will explain the model, the 
input, and the output, and then describe 
the best way to use the model. 

EASI Model 

EASI is a simple calculation tool that 
quantitatively illustrates the effect of 
changing physical protection parame- 
ters along a specific path. It uses detec- 
tion, delay, response, and communication 
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values to compute the P^ But, since EASI 
is a path-level model, it can only analyze 
one adversary path or scenario at time. 
Path level means that the model analyzes 
the protection system performance along 
only one possible adversary path or one 
adversary scenario. Even so, it is able to 
perform sensitivity analyses and analyze 
PPS interactions and time trade-offs along 
that path. 

For theft or sabotage attempts to be 
defeated, the response force must be noti- 
fied of the attempt while sufficient time 
remains to respond and interrupt the 
adversary. Communication of the alarm to 
an operator and to the response force, 
therefore, is a factor in the analysis. An 
adversary interruption occurs in the EASI 
model if the PPS works properly, result- 
ing in confronting the adversary with a 
response force large enough to prevent 
them from proceeding further along their 
path. The input for the model requires (1) 
detection and communication inputs as 
probabilities that the total function will be 
successful, and (2) delay and response 
inputs as mean times and standard devia- 
tions for each element. The output will be 
the Pj, or the probability of intercepting the 
adversary before any theft or sabotage 
occurs. After obtaining the output, any 
part of the input data can be changed 
to determine the effect on the output. 
However, because EASI is a path-level 
model, as systems get larger and more 
complex, better computer models are 
needed to perform the analysis of multiple 
paths. This point will be discussed later in 
the chapter, in the section titled "Adver- 
sary Sequence Diagrams (ASD)." ASDs 
provide a graphical method to represent 
the protection elements in a system, which 
can serve as the interface between a human 
analyst and computer software. 



The Input 

In the EASI model, input parameters rep- 
resenting the physical protection func- 



tions of detection, delay, and response 
are required. Communication likelihood 
of the alarm signal is also required for 
the model. Detection and communica- 
tion inputs are in the form of proba- 
bilities that each of these total functions 
will be performed successfully. Delay and 
response inputs are in the form of mean 
times and standard deviations for each 
element. All inputs refer to a specific 
adversary path. 

The EASI input for the detection func- 
tion is the P D for each sensor encountered 
by an adversary. As discussed in previous 
chapters, this probability is highly depen- 
dent on the capabilities of the adversary. 
The P D is the product of the probability 
that the detector will sense abnormal or 
unauthorized activities by the adversary 
(P s ), the probability that an alarm indica- 
tion will be transmitted to an evaluation 
or assessment point (P T ), and the proba- 
bility of accurate assessment of the alarm 
(P A ). P s was discussed in Chapter 5, 
"Physical Protection System Design," and 
assessment was covered in Chapter 8, 
"Alarm Assessment." The relationship 
among these performance measures for P D 
can be summarized as: 

P D = P S *P T *P A 

The communication of an alarm condi- 
tion to the response force is input into 
EASI as the probability of guard commu- 
nication, P c . In most PPSs, the likeli- 
hood of successful communication to the 
response force increases with time. The 
value entered into EASI for P c is the prob- 
ability of guard communication associ- 
ated with the guard communication time 
included in the response force time (RFT). 
Evaluation of many systems designed and 
implemented by Sandia National Labora- 
tories indicates that most systems operate 
with a P c of at least 0.95. This number can 
be used as a working value during the 
analysis of a facility, unless there is reason 
to believe that this assumption is not 
valid. If actual testing at a facility yields a 
different P c , this number should be used; 
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if guard communication appears to be less 
dependable, a lower value can be substi- 
tuted in the model. Factors that may influ- 
ence P c include lack of training in use of 
communication equipment, poor mainte- 
nance, dead spots in radio communica- 
tion, or the stress experienced during an 
actual attack. This flexibility allows the 
analyst to vary P c as needed to correctly 
represent this function. 

The delay time required by an adver- 
sary to travel a given path to a target can 
be thought of as the sum of the times 
required to perform certain tasks or travel 
distinct path segments. For the sake of 
simplicity, both task times and travel 
times are referred to as adversary task 
times. In general, it is not possible to 
predict the exact time interval necessary 
for the adversary to perform these tasks or 
proceed across these path segments. This 
is due to the fact that the adversary (or the 
response force) will not always perform a 
task within exactly the same time. For 
example, the adversary may take more or 
less time to get through a door, or the 
response force might have trouble starting 
a vehicle. Over a number of attempts, 
some variation in delay values will be 
observed. To allow for this expected varia- 
tion in EASI, these time intervals are 
modeled as random variables possessing 
an average or mean value and a standard 
deviation. The length of each of these suc- 
cessive adversary task times is input into 
EASI as a mean time and a standard devia- 
tion. Standard deviation is discussed in 
more detail below. 

Response time is modeled in EASI as 
the time between the generation of an 
alarm signal by a sensing device and 
the confrontation of the adversary by a 
response force adequate to halt the 
progress of the adversary along the path. 
This time consists of the successive time 
increments listed below and shown in 
Figure 14.1: 

• alarm communication time 

• time required for alarm assessment 
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Figure 14.1 Elements of Guard Response 
Time in the EASI model. This is the 
required chain of events for successful 
guard response 



• guard communication time 

• time required for the guards to 
prepare, to gather arms, to start vehi- 
cles, etc. 

• guard travel time 

• time required for the guard force to 
muster and deploy 

Response time input to EASI is in the 
form of a single mean time and standard 
deviation representing the sum of all 
the elements shown in Figure 14.1. Note 
that inclusion of these six time segments 
into the guard response time is different 
than the response time discussed in 
Chapter 12, "Response." Alarm commu- 
nication and assessment times were incor- 
porated into RFT within the EASI model 
to simplify data entry and handling. The 
use of RFT should not be confused with 
P c . RFT is a measure of the time it takes 
to receive, assess, and respond to an 
alarm; P c is a measure of the likelihood 
that there will be successful communica- 
tion to the response force to carry out the 
response. 

There is one final note on data input to 
the EASI model. The time data entered 
into EASI may be in units of seconds or 
minutes, but not both. Given this con- 
straint, delay and RFT should be in the 
same unit. If delay times are entered in 
seconds and RFT in minutes, the dis- 
crepancy will affect the accuracy of the 
output. 
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Table 14.1 Guard Response Time Trials. 

Multiple tests were conducted to 
measure response force time at a facility. 
X avg is the average of the five trials and 
Xj is the individual trial result. 



Trial Number 



Response Force (X r X a 
Time (minutes) 



1 


9 


2 


7 


3 


10 


4 


11 


5 


8 




Figure 14.2 Distribution of Response 
Time Data Points. In a Gaussian distribu- 
tion, 68% of the values are found within 
the interval X a , „ - S and X aTO + S 



Standard Deviation 

To use the EASI model as effectively as 
possible, some knowledge of the term 
standard deviation is required. Standard 
deviation is a measure of dispersion of a 
set of related data. Suppose the response 
time of the guard force at a facility is mea- 
sured five times and gives the results 
shown in Table 14.1. 

Using this data, the average response 
time is (9 + 7 + 10 + 11 + 8)/5 = 9 minutes. 
The standard deviation is a measure of the 
amount that a given data point is likely to 
deviate from the mean of all the data. 
Quantitatively this is calculated as: 



s„ = 



L£fvAj X av gJ 



n-1 



o+(-2) +(ir+(2r+(-ir 



(5-1) 



= 1.58 



This is the sample standard deviation, 
based on n = 5 observations. If we were to 
collect many observations on the response 
time, the sample standard deviation, s n , 
would tend towards S, the standard devia- 
tion for the true distribution of response 
times. The sample standard deviation, s n , 
should not be used in the EASI model. 
This is because 5 data points are not suf- 
ficient to justify this estimate of the 
population standard deviation. A better 



approach would be to collect response 
time data over several months and divide 
the data into groups of 5. Then find s n for 
each group using the equation above, and 
average these values to estimate S, the 
population standard deviation. This will 
take a minimum of 30 data points, and 6 
values of s n . This average s n can then be 
used in EASI as the standard deviation. 
As an alternative, tests at Sandia have 
shown that the standard deviation of a 
time event can be conservatively esti- 
mated at 30% of the mean and, therefore, 
if there have not been enough tests to 
establish a statistically significant stan- 
dard deviation, one can simply use 30% 
of the estimated mean. These assumptions 
are equally applicable to delay times; that 
is there is a standard deviation associated 
with each mean time, and the standard 
deviation can be approximated by using 
the mean ±30%. Use of the standard 
deviation for RFT and delay times allows 
consideration of the fact that guards will 
not always respond in exactly the same 
time, and that adversaries may take more 
or less time to penetrate barriers. 

If we were to make many measurements 
of the RFT, we would expect to find a 
Gaussian distribution of data points as 
shown in the curve in Figure 14.2. In a 
Gaussian (or normal) distribution, 68% of 
the values are found within the interval 
(X avg - S) and (X avg + S). In the above case, 
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this means that we would expect the RFT 
to be between 7.42 and 10.58 minutes 
68% of the time. 



The Output 

The output of the EASI model is an esti- 
mate of the probability that a sufficient 
number of response force personnel will 
interrupt the adversary at some point 
before the adversary completes acts of 
theft or sabotage. The output is the proba- 
bility of interruption, P,. If there is one 
sensor on the path, this probability is cal- 
culated as: 

Pi = Pc*Pd 
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Figure 14.3 Adversary Path to Asset in a 
Vital Area. The adversary must cross the 
fence, approach the building, enter the 
outer door, travel to the asset location, 
enter an inner door, and then set up the 
explosive charge at the asset 



Using the Model 



To use EASI, the initial step is the selec- 
tion of an adversary action sequence. The 
selection should be based on thorough 
knowledge of the facility and reasonable 
assumptions about the adversary. Next, 
select a physical path to the asset corre- 
sponding to the chosen sequence. Visual- 
ize the adversary tasks along that path, 
and determine the location of sensors. 
Then, obtain the required data: (1) the 
probabilities of detection and communi- 
cation, and (2) the mean and standard 
deviation of task times and response 
times. Finally, enter the data into the com- 
puter and obtain the results. The real 
value of the EASI model does not end 
there, however, because the analyst now 
has the opportunity to change the input 
data and see what effect this has on the 
output. A few examples will demonstrate 
these effects. 



EASI Examples 

Consider the example where the adver- 
sary intends to sabotage a target in a vital 
area as shown in Figure 14.3. The adver- 
sary intends to penetrate the fence, travel 



to the building, force open a door, travel 
to the vital area, force open another door, 
and set and detonate an explosive device 
on the critical asset. Detection and delay 
values are shown in Figure 14.4 and the 
RFT is 300 seconds. 

After entering this data in EASI, the 
result shows the probability of interrup- 
tion is 0.48, as shown in Figure 14.4. The 
analyst may decide that this P] is too low 
and that something should be done to 
improve this result. If a fence sensor with 
a probability of detection of 0.9 were 
added to the outer fence, the input would 
be as shown in Figure 14.5. The Pi in this 
upgraded case is 0.58, which may be satis- 
factory and may justify the installation of 
the fence sensor system. 

If this value is still not acceptable, an 
additional upgrade could be modeled. 
For example, if the RFT is also reduced 
to 200 seconds, the new Pi is 0.90 (see 
Figure 14.6). This is a significant improve- 
ment and only required relocating guards 
closer to the target, necessitating low 
or no additional cost. Or, if preferred, 
guards could be left at their current loca- 
tion (RFT still 300 seconds) and delay 
can be doubled at the asset, perhaps 
by enclosing it in a hardened case. 
This would result in a Pi of 0.84 (see 
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Figure 14.4 Results of EASI Analysis for Adversary Path. P, is 0.48 for this path 



Figure 14.7). This is not quite as high as 
the previous upgrade, but might be easier 
or cheaper to implement or be opera- 
tionally more acceptable. When the P^ 
along all paths are approximately equal, 
the PPS is said to be balanced — that is, all 
paths are equally difficult for the adver- 
sary to achieve their goal. Note that 
balance is achieved by mixing detection, 
delay, and response components and that 
there are a number of possible combina- 
tions that will result in acceptable system 
performance. This provides the opportu- 
nity to select combinations that meet cost 
and operational requirements without 
compromising system effectiveness. 

These results demonstrate the utility of 
the EASI model, or the ability to adjust 
protection elements and their perfor- 
mance in order to predict overall system 



effectiveness prior to implementation. 
Further manipulation of detection and 
delay components at different points on 
the path will emphasize the value of the 
security principles discussed throughout 
the text. These include detection early on 
the path and prior to delay, effectiveness 
of delay at the asset, the relationship 
among detection, delay and response 
functions, timely detection, and the prin- 
ciples of protection-in-depth and bal- 
anced protection. 



Critical Detection Point 

As described in Chapter 13, "Analysis and 
Evaluation," the critical detection point, 
or CDP, is the point on the path where the 
delay time remaining first exceeds the 
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Figure 14.5 Results of EASI Analysis after Upgrade. A fence sensor with P D of 0.9 was 
added to the outer fence resulting in an improved P] of 0.58 



response force time. EASI cannot locate a 
CDP because the delay and response force 
times are random variables in a distribu- 
tion, so there is a chance any point on the 
path will be the CDP during the actual 
attack. The concept of a CDP is too impor- 
tant to dismiss, however, because it gives 
valuable guidance on where to put addi- 
tional protection — that is, add detection 
before or at the CDP and delay after. 

Many of the more complex analysis 
tools, like SAVI or ASSESS, that find 
most-vulnerable paths, use only the mean 
delay and response force times, because 
their algorithms fail when variation is 
introduced. Experience with these tools 
over the years has shown that effective 
systems can be designed by assigning the 
CDP based on the mean times, and then 



adding detection before this CDP and 
delay after it. This CDP, based on the mean 
values, will be what we refer to as the CDP 
in this chapter, rather than the more 
precise definition found in Chapter 13. 
For example, in Figure 14.4, the CDP is at 
the first door. To illustrate why this CDP 
is important for effective design, we will 
incorporate detection (P D = 0.9) at the 
target itself and show the results in Figure 
14.8. The Pi is 0.48, which is the same as 
the baseline system. In Figure 14.9, 20 
seconds of delay has been added at the 
fence, again resulting in a P! of 0.48. Both 
of these upgrades were on the wrong side 
of the CDP and both had negligible effect 
on performance. 

While it is practical to set the CDP 
based on mean delay and response 
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Figure 14.6 EASI Analysis after Reduction in Response Force Time. Reduction of RFT 
and detection at the fence has increased Pi to 0.90 



force times, this must be done carefully, 
with the understanding that there will 
be variations in times. In Figure 14.4, 
the mean time remaining at the CDP 
exceeds the mean response force time 
by only 10 seconds — not a lot of leeway. 
Considering that the standard deviation 
for the response force time is 90 seconds, 
and that for the time remaining is 27 
seconds, we see that 10 seconds leeway is 
probably insufficient to assure that any 
detection at this door will be effective. 
Typically, 30 seconds or more is desirable. 
This does not mean that a very large 
difference between RFT and time remain- 
ing on the path is by itself a design crite- 
rion, but it could become one if most 
of the detection is located on the path 
near the CDR 



Use of Location Variable in EASI 

At this point, all but one of the required 
input elements to the EASI model have 
been discussed. This last input falls in 
the column labeled Location in the pre- 
vious figures. Note that each of these 
results have a B in this column. The Loca- 
tion column is used to describe where in 
the model detection falls relative to delay 
for the specific protection element. Con- 
sider that if detection and delay both exist 
at an element, the detection may start 
before delay, at the end of delay, or 
somewhere between. Due to these possi- 
bilities, EASI allows assignment of detec- 
tion relative to delay to more accurately 
model system effectiveness. To do this, 
entries are B for detection before delay, 
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Figure 14.7 EASI Analysis after Addition of Delay at Asset. With detection at the fence 
and delay at the target, P! is now 0.84 



M for detection during delay (middle), 
and E for detection after or at the end 
of delay. Where there is no detection 
associated with the delay the location 
parameter will not matter. When the 
location is B, the delay time is calcu- 
lated using the mean delay time for that 
element plus-or-minus the standard devia- 
tion; when an E is entered, EASI uses 
as the time delay for this task. Use of an 
M indicates that the delay happens some- 
where in between the before and end 
values, so is approximated as one-half the 
mean plus-or-minus the standard devia- 
tion. The mathematical calculations 
for these assumptions are shown in 
Appendix B, "EASI Model." Use of this 
location parameter allows the model to 



better allocate credit to the standard 
deviation of the delay time. This in turn 
allows the analyst to achieve a more real- 
istic view of the probability of interrup- 
tion by calculating the P r based on the 
relationship of detection and delay time 
at each protection element. This is a 
complex point that may be best explained 
through the use of examples. 

For example, a locked door with a bal- 
anced magnetic switch sensor might be 
assigned a location of E. This is because 
the sensor will not register an alarm until 
the door is opened a small distance. An 
attack on the door might be to pick the 
lock, then enter through the door. In this 
case, most of the delay came from the time 
to pick the lock, not to pass through the 
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Figure 14.8 EASI Analysis with Addition of Detection at the Asset. The Pi remains 
at 0.48 



door, so the detection came at the end of 
the delay, which limits the effectiveness 
of the delay. An example of use of the M 
location parameter might be for the case 
where an adversary will use an explosive 
to penetrate a wall. In this case, the adver- 
sary must take time to set up the explo- 
sive charge, then retreat to a safe distance 
during the detonation. At this point, the 
explosion would presumably be detected, 
but the adversary still has to return to the 
wall and get through the hole to continue 
the attack, so some delay still remains 
after detection. Use of the B parameter in 
the location column is exemplified by a 
volumetric sensor in a room monitoring a 
door. In this case, as soon as the adversary 
starts to penetrate the door, the sensor will 



detect the intrusion, and the adversary 
still must finish penetrating the door to 
get to the asset. The volumetric sensor 
detects before the door delay, so use of a 
B is appropriate. 

Adversary Sequence Diagrams 

In a typical facility there are multiple 
options to defeat the different layers of 
protection. For example, to penetrate a 
locked building, an adversary can de- 
feat doors, windows, walls, or the roof. 
Because the adversary can attack any op- 
tion on each layer, the number of paths 
into the facility easily number into the 
hundreds or thousands. To apply EASI 
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Figure 14.9 EASI Analysis with Addition of Delay at the Fence. The P, remains at 0.48 



to such facilities, the analyst needs some 
systematic method of recording these 
paths. The method used is termed an 
adversary sequence diagram (ASD). 

The ASD is a graphic representation 
of protection system elements that is 
used to help evaluate the effectiveness of 
the PPS at a facility. It shows the paths 
that adversaries can follow to accomplish 
sabotage or theft goals. For a specific PPS 
and a specific threat, the most vulnerable 
path (or the path with the lowest Pi) can 
be determined using EASI. This path 
establishes the effectiveness of the total 
PPS. 

There are three basic steps in creating 
an ASD for a specific site. These include: 

• Modeling the facility by separating it 
into adjacent physical areas 



• Defining protection layers and path 
elements between the adjacent areas 

• Recording detection and delay 
values for each element. 

The ASD models a facility by sep- 
arating it into adjacent physical areas. 
Figure 14.10 shows a representation of 
an example facility. The ASD represents 
areas by rectangles, with areas named to 
model a specific site. The ASD models 
a PPS by identifying protection layers 
between adjacent areas (Figure 14.11). 
Each protection layer consists of a number 
of protection elements (PE), which are the 
basic building blocks of a PPS. Protection 
elements are also referred to as path ele- 
ments and the two are used interchange- 
ably in this chapter. Some types of PEs 
and target locations used in the ASD are 
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Figure 14.10 Sample Facility Represent- 
ing Adjacent Physical Areas. Each area is 
represented by a rectangle 
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Figure 14.12 Basic ASD for a Facility. 
Each physical area is separated by a pro- 
tection layer, which contains the pro- 
tection (or path) elements. A path ele- 
ment can be traversed on entry and exit 
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Figure 14.11 Physical Areas and Protec- 
tion Layers. Each adjacent area is sepa- 
rated from the next by a protection layer, 
which is part of the PPS 



shown in Table 14.2. Acronyms are used 
to keep the element boxes in the ASD 
small. 

Once the ASD is created, the analyst 
records P D , mean delay, standard devia- 
tion of delay, and location for each 
element. Both entry and exit path seg- 
ments can be modeled. The entry path 
segment is from off-site to the asset 
(target), and the exit path segment is from 



the asset back to off-site. A given PE may 
be traversed once (either on entry or exit), 
or it may be traversed twice, on entry and 
in the opposite direction on exit. The ASD 
as it has been developed so far is shown 
in Figure 14.12. The adversary attempts to 
sequentially defeat an element in each 
protection layer while traversing a path 
through the facility to the target. The ASD 
represents all of the realistic paths that an 
adversary might take to reach a target. 

For sabotage analysis, only the entry 
paths would be evaluated, and we assume 
that the protection elements will be tra- 
versed in only one direction. An act of 
sabotage only requires proximity to the 
asset long enough to cause damage to 
the asset; it does not require exit from the 
facility to be successful. For theft analy- 
sis, the protection elements are traversed 
twice — on entry to the asset and on exit 
from the asset. A more conservative pro- 
tection goal, to interrupt the adversary 
before removing the target from its loca- 
tion, requires only that entry be consid- 
ered. When the entry and exit case is 
evaluated, the number of possible paths 
shown on the ASD is the square of the 
number of entry paths. 
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Table 14.2 Most Common Protection Elements Used in ASDs. 

Each protection element has associated detection and delay components. SUR is used 
to model walls, floors, and ceilings; DOR is used to describe personnel doors. One DOR 
is required for each different type of door in a layer. A generic target location (GNL) 
can be used to describe asset locations that are not represented in the existing list. 



Protection Elements 



Target Locations 



EMP Emergency Portal 

GAT Gateway 

ISO Isolation Zone 

MAT Material Portal 

DOR Personnel Doorway 

SHD Shipping/Receiving Door 

SUR Surface 

VHD Vehicle Doorway 

WND Window 



DUC Duct 

EMX Emergency Exit 

FEN Fenceline 

HEL Helicopter Flight Path 

OVP Overpass 

PER Personnel Portal 

SHP Shipping/Receiving Portal 

TUN Tunnel 

VEH Vehicle Portal 



BPL Bulk Process Line 
CGE Cage 
FLV Floor Vault 
GNL Generic Location 
IPL Item Process Line 
OPN Open Location 
TNK Storage Tank 



Site-Specific ASD 

A site-specific ASD is constructed for 
each asset, or set of assets having a 
common location at a facility. The objec- 
tive is to correctly model the PPS that 
exists at a site. This site-specific ASD is 
created by identifying the protection ele- 
ments that are present at the facility. 
Figure 14.13 shows a simplified example 
facility and PPS layout. Figure 14.14 
shows the resulting site-specific ASD that 
is constructed by using the example facil- 
ity information. Sometimes it will be 
necessary to deviate from the orderly 
sequence of physical areas and protection 
layers of the generic ASD in order to 
create an accurate site-specific ASD. 
There are two features in the ASD model- 
ing technique for this purpose — jump and 
bypass. 

A jump is used to model a site element 
that does not directly connect to the adja- 
cent area shown on the generic ASD. As 
shown in Figure 14.15, there is a wall 
common to the controlled building area 
and to the target enclosure. This situa- 
tion is correctly modeled by including a 
SUR jump element from the controlled 
building area to model this portion of 
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Figure 14.13 Sample Facility and Protec- 
tion System. Each area contains certain 
protection features as movement pro- 
gresses from off-site to the asset (target) 



the common surface. The site-specific 
ASD (Figure 14.16) then shows a direct 
path that jumps from the controlled build- 
ing area to the target enclosure (with- 
out passing through the controlled 
room) in addition to all other selected 
indirect paths. 

A bypass is used to model the absence of 
a protection layer. It is possible to bypass 
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features of the example ASD by eliminat- 
ing all of the elements in a layer. If, as 
shown in Figure 14.17, a facility has an 
access area that is itself a building with no 
other controlled rooms present, the result- 
ing ASD would have a direct connection 
between the controlled building area and 
the target enclosure. The bypass is accom- 
plished by eliminating all of the path ele- 
ments in the layer between the controlled 



room and the target enclosure. Figure 
14.18 shows the ASD with this bypass. 

The ASD, then, serves as a useful tool 
to represent all the detection and delay 
elements in a PPS. By graphically repre- 
senting all of the protection elements by 
layer, the analyst will have a simple 
picture of adversary paths into a facility 
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Figure 14.14 ASD of Sample Facility. 
Functional protection elements are found 
in each physical layer of the facility 
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Figure 14.15 Sample Facility with a 
Common Surface. This connection allows 
a direct path from one layer to a nonadja- 
cent area 
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Figure 14.16 Example of a Jump in an ASD. In this case, there is a shared wall between 
the building and the target enclosure, so there is a direct path between these two layers 
at this point 
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and to critical assets. Paths that appear 
weakest can be entered into the EASI 
model, and the resulting P t s can be calcu- 
lated and compared. When all paths have 
achieved approximately the same P u the 
analysis is complete and the system can 
be implemented. The process of calculat- 
ing Pi over many paths is facilitated by 
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Figure 14.17 Sample Facility that Is 
Missing a Layer. In this example, there 
is no controlled room inside the building, 
so one layer is bypassed 



more complex models that make use of 
computing power and the graphical ASD 
entered in a separate module; however, 
these models are not yet commercially 
available. As a result, the EASI analysis 
requires that the analyst successfully 
select the most vulnerable paths. In indus- 
trial applications this is actually easier 
than it sounds, because once an ASD is 
drawn, and detection and delay measures 
collected, system deficiencies are rela- 
tively easy to spot. 

The ASD can serve as a useful tool to 
represent all of the detection and delay 
elements in a PPS. By graphically repre- 
senting all of the protection elements by 
layer, the analyst will have a picture of 
adversary paths into a facility and to crit- 
ical assets. Then, various paths can be 
modeled in EASI and resulting PiS calcu- 
lated and compared. 

Summary 

EASI is a very simple method of quanti- 
tatively evaluating the effectiveness of a 
PPS against a defined adversary utilizing 
a specific path and attack scenario and for 
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Figure 14.18 ASD Showing a Bypass. The controlled room isn't present, so once the sur- 
faces are penetrated, the adversary is at the target enclosure 
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an immediate response. The analyst must 
enter data describing the detection, delay, 
and response components along the 
adversary path. The EASI model then per- 
forms the calculation and displays a prob- 
ability of interruption, P,. If P, is not 
satisfactory, additional PPS measures can 
be incorporated and subsequent analyses 
run to determine the most cost-effective 
solutions. The model reinforces the secu- 
rity principles presented throughout the 
text, including detection before delay, bal- 
anced protection, protection-in-depth, 
response force capability, and timely 
detection. 

EASI only analyzes one specific path, 
selected by the analyst. EASI uses the 
probability of detection, probability of 
guard communication, response force 
time, and delay times to determine P L 
EASI is a Microsoft Excel® application 
and a copy of the Excel worksheet is 
attached in Appendix B, "EASI Model." 

In larger more complex facilities, path 
analysis is aided by the use of ASDs. 
ASDs are a graphic representation of the 
physical layers around a facility, the 
protection elements between layers, and 
paths to the asset. Once this graphic is 
constructed and detection and delay 
values collected, the analyst can review 
possible paths, identify those that appear 
to be weakest, and determine the overall 
effectiveness of the PPS. 



Security Principle 



The EASI model allows for a quantitative 
analysis of a protection system, where the 
asset requires this level of protection and 
performance data exists to support the 
analysis. 
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Questions 



1. What are the limitations of EASI? 
What are the strengths? 

2. What do we mean by path analysis? 

3. Using Figure 14.4, add the following 
steps and performance measures 
that represent an adversary theft sce- 
nario, instead of sabotage. Assume 
RFT = 300 seconds and P c = 0.95. 
What is the P,? Where is the CDP, 
based on mean delays and RFT? 
What detection and delay improve- 
ments could be made? 



Description 


Pd 


Location 


Delay Mean 


Standard Deviation 


1. Remove asset 


0.0 


B 


60 


18 


2. Exit Vital Area door 


0.9 


B 


10 


3 


3. Run to second outer door* 


0.0 


B 


20 


6 


4. Exit outer door 


0.9 


B 








5. Run to gate 


0.0 


B 


15 


4.5 


6. Exit facility 


0.2 


B 


12 


3.6 



This not the same door that they entered through; it is the other door leading out of the building. 
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4. Using the initial theft scenario from 
question 3 above, assume the RFT is 
600 seconds. What is the Pi? What if 
the RFT changed to 150 seconds? 

5. Using the sabotage scenario 
described in Figure 14.4, change 
the following locations and record 
the change in Pj. Explain your re- 
sults. Be sure to change the location 
back to the initial value before 
making the next change. 

a) Task 1, cut fence, change to M. 

b) Task 6, sabotage target, change 
to E. 



c) Task 3, open door, change to E. 

d) Task 3, open door, change to M. 

6. Using the example from Figure 14.4, 
change the probability of communi- 
cation to 0.8, 0.7, and 0.5. Record the 
new P! for each of these values. 
Explain your results. What are some 
possible reasons for lowering the 
probability of communication in a 
PPS? 

7. Using the ASD in Figure 14.14 and 
the following information, fill in the 
details of the ASD for all the protec- 
tion elements. 



Threat: 


Outsiders traveling on foot carrying 
explosives and metal tools 


Travel Times: 


Running, approximately 10 feet/second 


1. Tilt/vibration fence sensor: 


0.8 probability of detection 


Climb fence/gate: 


10-second delay (climbing) 


2. Doors in personnel portal (2): 


12-second delay per door 


Combined badge reader (hand geometry 
unit/magnetic stripe) in personnel portal: 


0.85 probability of detection 


Badge reader (hand geometry delay time): 


8-second delay 


3. Officer at vehicle portal: 


0.5 probability of detection 


Officer at officer at vehicle portal: 


30-second delay 


4. Microwave exterior detection system: 


0.9 probability of detection 


Isolation zone width: 


50 feet 


5. Detectors on all doors: 


0.99 probability of detection 


Exterior door 1, 6-inch metal: 


60-second delay 


6. 30-cm, reinforced concrete walls 
and floors: 


3 -minute delay 


7. Exterior door 2, 3-inch metal: 


30-second delay 


8. 1.6-mm interior doors: 


1 -minute delay 


9. Time to steal material: 


2 minutes 


10. Time to sabotage facility: 


51 seconds 


Standard deviation on all times: 


30% of mean 
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8. Create an ASD of a sample facility. 
Show the physical areas, protection 
layers, protection elements, path 
segments, and targets. Remember, 
if there are multiple distributed 
targets, you may need to do more 



than one diagram. Using this ASD, 
pick a few paths to model using the 
EASI tool. You may need to use 
hypothetical values for performance 
measures. 
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The basic premise of the approach pre- 
sented in this text is that the design and 
analysis of physical protection must be 
addressed as an integrated system. In this 
way, all components of detection, delay, 
and response can be properly weighted 
according to their contribution to the PPS 
as a whole. At a higher level, the security 
manager, the facility manager, and senior 
management must balance the effec- 
tiveness of the PPS against available 
resources, and then evaluate the proposed 
design. Without a methodical, defined, 
analytical assessment, the PPS might 
waste valuable resources on unnecessary 
protection or, worse yet, fail to provide 
adequate protection at critical points 
of the facility. For example, it would 
probably be unwise to protect a facility's 
employee cafeteria with the same level of 
protection as the critical production area. 
However, maximum security at a facility's 
main entrance would be wasted if entry 
were also possible through an unguarded 
cafeteria loading dock. 

This chapter will discuss some signifi- 
cant considerations of the PPS designer 
and facility management as they are 
charged with answering the question: 



How do we know if the security system is 
good enough? In earlier chapters, the 
concept of probability of interruption of a 
defined adversary along the most vulner- 
able path in the facility was developed 
and identified as the best measure of PPS 
effectiveness. The next question is: Given 
a certain P I( is that good enough? 

This question may also be stated as: 
How much risk is the facility willing to 
accept versus the cost of reducing that 
risk? The best answer to this question 
should consider all risks to the enterprise 
from all endeavors. This holistic risk 
across the enterprise is made up of risk 
elements including financial risk manage- 
ment, liability risk financing, property/net 
income financing, employee benefits, 
environmental health and safety, and 
property engineering in addition to secu- 
rity risk. Thus, security is only one com- 
ponent of risk to the enterprise and must 
allocate resources within the larger risk 
picture. The facility or corporate Chief 
Risk Officer must still combine all of the 
various risks and help the corporation 
manage total risk. While the security 
department may be able to aid in mitiga- 
tion of risk in other areas, the security 
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organization is only one of many func- 
tions that must be depended on to assure 
that the corporate enterprise manages and 
limits their risk exposure. Given limited 
resources to be applied to address all 
risks, each application of a portion of 
those resources must be carefully and 
analytically evaluated to ensure a bal- 
anced risk. 

This chapter will address how to apply 
limited security resources within the 
context of risk to the enterprise and show 
how the security system reduces overall 
risk to the facility. In this text, risk is 
defined as the likelihood of damage or 
loss multiplied by the potential magni- 
tude of the loss. 



might be the distribution of assets across a 
large industrial site. By separating the 
assets, fewer assets are at risk during any 
given adversary attack. Risk transfer is the 
use of insurance to cover the replacement 
or other costs incurred as a result of the 
loss. This is an important tool in many 
security systems. Risk acceptance is the 
recognition that there will always be some 
residual risk. The key is in knowingly 
determining a level that is acceptable to 
the enterprise, not unwitting acceptance. 
It is this last approach that will be elabo- 
rated in the rest of this chapter. 

Risk Equation 



Risk Management Approaches 

Risk management may take one of 
several different forms. Good risk pro- 
grams should include a combination of 
risk financing (insurance) and risk control 
tools to treat the risk. The risk ap- 
proaches used include avoidance, reduc- 
tion, spreading, transfer, and acceptance 
(Grose, 1987). Any one or a combination 
of the five may be appropriate at different 
times, for different assets, and at different 
facilities. Risk avoidance is accomplished 
by eliminating the source of the risk. 
For example, a company may choose to 
buy a critical component from another 
company, rather than manufacture it. This 
removes the production line for that item 
as a sabotage target. Risk reduction is 
achieved by taking some actions to lower 
risk to the enterprise to reduce the sever- 
ity of the loss. This is the goal of many 
security programs — to lower risk by 
implementing at least some security mea- 
sures. Risk can also be spread among mul- 
tiple locations. This may be accomplished 
by having similar production capability at 
more than one corporate site. Then, loss of 
the capability at one site can be managed 
by increasing production at the other loca- 
tions. Another example of risk spreading 



One of the basic assumptions of this text 
has been the need for a method to quan- 
tify the way a protection system performs. 
By understanding how well a PPS pro- 
tects assets from threats, we can also 
address the amount of risk that remains 
after implementation of the design. In 
order to do this, the following risk equa- 
tion is used: 

R = P A *[1-(P,)]*C 

where the terms are as follows: 

R = Risk to the facility (or stakeholders) of 
an adversary gaining access to, or steal- 
ing, critical assets. Range is to 1.0, 
with being no risk and 1.0 being 
maximum risk. Risk is measured for a 
period of time, such as one year or five 
years. 

P A = Probability of an adversary attack 
during a period of time. This can be dif- 
ficult to determine, but generally there 
are records available to assist in this 
effort. The value of this probability is 
from (no chance at all of an attack) 
to 1.0 (certainty of attack). Sometimes 
in the calculation of risk, we assume 
P A = 1.0, which means that it is a 
conditional risk. That is, the calculated 
risk assuming that an attack on a 
facility will occur. 
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Pi = Probability of interruption. This is the 
probability that the defined adversary 
will be interrupted by the response 
force in time to stop the adversary 
from accomplishing his or her objec- 
tives. The principle of timely detec- 
tion is used in calculating this 
probability from (the adversary will 
definitely be successful) to 1.0 (the 
adversary will definitely be interrupted 
in their path). 

C = Consequence value. This is a value 
from to 1 that relates to the severity of 
the occurrence of the event. This is the 
normalizing factor, which allows the 
conditional risk value to be compared 
to all other risks across the site. A con- 
sequence table of all events could be 
created that would cover the spectrum 
of loss, from highest to lowest. There- 
fore, by using this consequence table, 
the risk can be normalized over all pos- 
sible events. Then the limited PPS 
resources can be appropriately allo- 
cated to ensure the risk is acceptable 
across the spectrum. 

This risk formula incorporates the effec- 
tiveness measure, P t , by subtracting it 
from 1.0. If P, = 1.0, the risk drops to 0. If 
Pi = 0, then the conditional risk is equal 
to the consequence value, which deter- 
mines the upper limit of risk. For those 
cases where force-on-force incidents 
can be expected, the system effective- 
ness measure will change. In these cases, 
system effectiveness is measured by mul- 
tiplying the probability of interrup- 
tion and the probability of neutralization. 
This product is then subtracted from 
1.0, in place of Pi. This system effective- 
ness considers not only the arrival of 
the response force, but also the outcome 
of any force-on-force battle. This is not an 
expected event in most industrial appli- 
cations, but this calculation is included 
for completeness. 

The risk equation provides the oppor- 
tunity to model the effect of some assump- 
tions that we make. For example, if we 



assume that P A is equal to 1.0 (there will 
be an attack), this term drops out of the 
equation. If we then also assume that C is 
equal to 1.0, that is, the consequence is 
the highest we can imagine, this term also 
drops out. This leaves a conditional risk, 
R, that is determined solely by the effec- 
tiveness of the PPS, which can be useful 
in establishing the worst case risk — that 
is, a certain attack by the most capable 
adversary on the most valuable target. It is 
then possible to go back and use different 
consequence values to determine the risk 
to the enterprise for lower consequence 
losses. This will allow a prioritization 
of targets and appropriate protection. 
Finally, the probability of attack may also 
be varied, based on available data where 
possible, and a realistic assessment of risk 
can be obtained. This three-step process 
can help in simplifying the complexity of 
the risk assessment by varying only one 
term at a time, allowing an appreciation 
of the influence of each factor on the 
outcome. In some cases, P A and PPS 
effectiveness are not independent. For 
example, a very effective PPS may 
deter the adversary from attacking, but for 
the purposes of this text, we assume 
independence. 

The derivation of the terms of the risk 
equation has been discussed in previous 
chapters. We are now in a position to see 
how the overall process works and how 
these measures can be merged to predict 
the risk the facility or enterprise faces 
within the security function. The process 
of vulnerability assessment (VA) serves as 
the method of determining the Pi compo- 
nent of risk and then providing upgrades 
to the existing system to strengthen any 
system vulnerabilities. 

Vulnerability Assessment Process 

A team with broad experience is neces- 
sary to ensure that a complete and accu- 
rate VA is produced. The team must have 
a team leader who is a security specialist 
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and who can ensure that the VA is correct. 
The members of the team should be: 

• Team Leader 

• Security Systems Engineer 

• Response Expert 

• Data Analyst 

• Operations Representatives 

• Subject Matter Experts, such as 
locksmiths, explosives personnel, or 
information systems experts 

Some members of the team may only 
be required occasionally, and others 
may be needed on a permanent basis. The 
team leader should be experienced in 
some aspect of security systems design 
and project management. The security 
systems engineer will have an under- 
standing of detection, delay, and response 
technologies, and the integration of secu- 
rity systems. Response experts will have 
knowledge of weapons, response force 
tactics and training, contingency and 
emergency planning, and investigation 
techniques. The data analyst will under- 
stand how to use a computer model to 
predict system performance. This person 
may also be a security systems engineer, 
a response or delay expert, or a subject 
matter expert. Depending on the facility 
and threats, experts in locks, explosives, 
and other specialized skills may be 
necessary to asses threats and establish 
performance goals for the designed 
system. In addition, operations represen- 
tatives including safety, production, legal 
personnel, and other facility experts will 
be required to provide input on allowable 
activities or any operational effects of pro- 
posed changes. 

Once the team is assembled, the first 
phase of the design and evaluation 
process can begin — determine system 
objectives. The output of this stage should 
be a complete facility characterization, 
including a description of existing secu- 
rity elements, a design basis threat or 
threat spectrum, and an understanding of 
all assets at the facility and their associ- 



ated consequence of loss. Asset identifi- 
cation and consequence analysis may be 
aided by the use of a fault tree. At this 
point, the baseline system can be modeled 
using EASI and ASDs and an initial P;, can 
be determined. These results can be com- 
pared to the system objectives and a risk 
value quantified using the equation above. 
If the risk value is acceptable, the existing 
system is satisfactory; if not, system 
redesign must be done to lower the risk to 
the facility. 

Risk Assessment 

It is important to note that in order to truly 
make cost-benefit decisions, the system 
effectiveness and associated risk of the 
current, or baseline system, must be 
known. It will be impossible to make good 
cost-benefit decisions without this infor- 
mation, because it is essential to know the 
decrease in risk and the cost to get there 
in order to make an informed decision. It 
is also important to recognize that there 
will only be a limited amount of funding 
available to accomplish the security goals. 
So, if the threat to a facility is high, but 
there is only enough money to protect the 
facility against a lower threat, there will 
be additional risk. Different system per- 
formance or effectiveness will be required 
against different threats. Because system 
effectiveness is dependent on the threat, 
there will be different P^, and therefore 
different risk values, for different threats. 
As threats get more capable or sophisti- 
cated, the security system must also 
perform better. This relationship is shown 
in Figure 15.1. This analysis can serve as 
the justification for additional funds to 
further reduce risk or can serve as the 
basis for a longer-term plan to increase 
security over a number of years. The goal 
of the risk assessment is not to spend as 
much money as possible, but rather to 
help decision-makers spend the available 
money most effectively to reduce security 
risk to the facility or enterprise. If the 
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Low 



I Single outsider I Low Plus: 

I No technology I Mort outsiders 
Some technology 

I No weapons 
| Hand tools 

I Low $ I Knowledge 

Nonviolent 'Mediums 
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Threat Spectrum 
Medium High 



Medium Plus: 
One insider 
Large tools 
Explosives 
Large SS 
Violent 



Classified 

I High Plus: 

I 



I 9 I 



Current 
System 

(J) 



Option 1 

($$) 



Option 2 



Option} 
(SSSSS) 



Performance 
(Cost) 

Figure 15.1 Threat Spectrum and System Performance. After the decision to invest in a 
protection system is made, it will be necessary to determine how much the system helped 
to decrease risk. If the expected threat is high, but there is only enough budget or other 
resources to protect against a lower threat, there can still be significant risk 



results indicate an unacceptably high risk 
exposure, additional funds can be made 
available to increase security system 
effectiveness more quickly. As an alterna- 
tive, completion of the risk assessment 
will show which threats have been miti- 
gated by the protection system and which 
threats still pose an unacceptably high 
risk to the facility. When these risk assess- 
ments are completed, they should be 
treated as proprietary data and shared 
only on a limited basis throughout the 
company. 

An additional tool that can be useful in 
the risk assessment of a facility is the con- 
sequence matrix that was introduced in 
Chapter 4, "Target Identification." Now 
that a complete discussion of the security 
system objectives and functions has been 
presented, it is helpful to look at this 
again. A sample consequence matrix is 
shown in Table 15.1. 

All of the elements of the consequence 
matrix have been thoroughly discussed in 
previous chapters. The probability of 



adversary attack and threats placed inside 
the matrix are determined in threat defini- 
tion. Consequence of loss is determined 
when identifying targets of adversary 
attack. Special attention should be paid to 
any threats that appear in the top left box 
of the matrix — high consequence of loss 
and low probability of occurrence. It is 
common to hear executives and security 
managers accept this risk by saying the 
probability of the event happening is low, 
so no action is required. This approach 
can work if the facility is truly prepared 
to accept the risk; however, low probabil- 
ity is not a zero probability. Full consid- 
eration of these events should be part of 
the analysis that the security organization 
provides to the corporation and is the 
best example of the use of conditional risk. 
For example, the Challenger space shut- 
tle explosion, the chemical release and 
loss of over 10,000 lives in Bhopal, and 
the Chernobyl reactor accident are good 
examples of high-consequence, low- 
probability events. While none of these 
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Table 15.1 Consequence Matrix. 



Shaded boxes in the top right corner indicate the threats that must be prevented. 
The threats in the lower left box may be acceptable as is or with limited procedural 
changes. The threats in the unshaded boxes indicate the areas in which decisions must 
be made when allocating resources. Depending on the facility, high-consequence, low- 
probability events can take precedence over other events. 



High Consequence 








Medium Consequence 








Low Consequence 










Low probability 


Medium probability 


High probability 



is a security incident, they could have 
been. Examples of security incidents 
include the Oklahoma City bombing, the 
shooting of two police officers at the U.S. 
Capitol, the Columbine school shooting, 
and prison riots where guards or inmates 
are killed. In addition, the bombing of the 
World Trade Center serves as an example 
of a potentially devastating incident in 
which luck, not planning, averted the loss 
of many thousands of lives and significant 
property destruction. 

The consequence matrix relates the 
probability of adversary attack, conse- 
quence of loss of the asset, and the threat 
spectrum. This can be a useful tool when 
presenting reviews of the security function 
or requests for additional budget to senior 
management. It puts all of the pertinent 
information together in a simple and 
graphic form. These issues can then be 
related to risk and various options to 
increase protection system effectiveness. 
An example of this is shown in Figure 15.2. 

Through the use of the risk equation, 
various security improvement options can 
be evaluated by relating system perfor- 
mance and, therefore, risk reduction to 
cost options. In this way, the security 
organization can present their proposals 
in a manner in which senior executives 




Figure 15.2 Relationship of Risk and 
Security System Upgrades. Each upgrade 
option has a level of risk and cost associ- 
ated with it. This is a quick way to show 
the cost-benefit of possible options to 
senior management when trying to decide 
which option to fund 



can use familiar principles to understand 
how the security organization helps the 
overall enterprise and what measurable 
improvements can be expected in return 
for a budget investment. 

These risk values are based on the exis- 
tence of a measure of system effectiveness 
or P], If a qualitative analysis is used, the 
Pi measure is more uncertain, possibly 
leading to incorrect conclusions. This is 
only acceptable if the assets have a lower 
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consequence of loss or fall into the accept- 
able risk category. 

Performance Testing 

In addition to the use of EASI code to cal- 
culate P b system performance tests, com- 
ponent performance tests, and initial data 
verifications should be conducted prior to 
acceptance of the risk associated with the 
final design for a PPS. Documentation 
of the actual performance tests is required 
to support the overall risk calculation. 
Even after a PPS design is accepted and 
approved, testing must continue. Some of 
the classes of tests are: 

• operability tests — conducted daily by 
facility security personnel to ensure 
that the PPS equipment is operating 
properly. 

• performance tests — conducted peri- 
odically to ensure that the sensitivity 
of the PPS equipment is high enough 
to support the assumed values of P D 
used in the analysis models. 

• post-maintenance tests — conducted 
after maintenance on the PPS 
equipment to ensure it is working 
correctly and is at the desired level 
of sensitivity. 

• whole system and limited scope 
tests — conducted by the facility to 
ensure large parts of the system are all 
working together as assumed in the 
analysis. Some of the coordinated 
parts of the PPS that should be tested 
together might be detection with 
response and detection with delay. 

• evaluation tests — periodic indepen- 
dent tests on the PPS to ensure that 
the VA is still valid and that the 
expected level of PPS effectiveness is 
being maintained. 

The operability and post-maintenance 
tests are needed whether the basis of 
analysis is qualitative or quantitative. In 



fact, all five types of testing can support 
qualitative risk analysis; the only distinc- 
tion is that the data enters the risk analy- 
sis qualitatively, not quantitatively. 

Summary 

A recommended process for the design 
and analysis of a PPS was presented in the 
preceding chapters. This process culmi- 
nates in values for C, P A , and P^ Once 
these measures are determined, the risk 
to a facility by a particular threat can be 
calculated. Through the use of the risk 
equation, various proposed upgrades in 
physical protection at a facility can be 
compared. The options that give the best 
cost-benefit to the facility can be imple- 
mented. This process allows limited secu- 
rity resources to be allocated to protect 
assets that are most important. In addi- 
tion, there is a quantifiable result that can 
be used to show senior executives what 
they get for their investment, and it is 
expressed in terms that are familiar to 
them. The risk is normalized to the con- 
sequence of loss of the asset, and thus the 
allocation of scarce physical protection 
resources is appropriately applied to keep 
all risks at an acceptable level. 



Security Principle 

Through the use of the risk equation, 
R = P A * [1 - (Pi)] *C, system effectiveness 
can be used to quantify the risk a facility 
faces from a specific threat. Use of the risk 
equation and P] will enable good cost- 
benefit decisions to be made and help 
select the option that reduces risk to an 
acceptable quantity. 
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Questions 

1. Why is risk assessment important 
to the evaluation of a protection 
system? 

2. Pick a facility as an example and 
plan out the vulnerability assess- 
ment that would need to be com- 
pleted. Include a description of who 
should be on the team, what tasks 
the team would need to accomplish, 
and how the team would report its 
findings. 

3. Using the risk equation and the fol- 
lowing information, calculate the 
risk to a facility. 

a) Assume a conditional risk, that 
is, the adversary will attack. 

b) How does conditional risk 
change when the consequence 



value changes from High (C = 1), 
to Medium (C = 0.5), to Low 
(C = 0.2)? 
c) Assume that the Pi for the 
system is 0.7 for a design basis 
threat (the maximum credible 
threat) of three armed criminals 
with insider assistance. How 
does conditional risk to a high- 
consequence asset change if 
the threat is now reduced to 2 
outsiders and Pi is 0.85? What if 
Pi increases to 0.95 against the 
lowest threat, a single vandal? 

4. Using the risk equation and the 
knowledge that an asset has a con- 
sequence value of 0.5, calculate the 
risk for the following P A s: 

a) P A = 0.2 

b) P A = 0.5 

c) P A = 1.0 

What conclusions could you draw 
from this? 



Appendix A 

Threat Tables 



Outsider Table. 





Type of Adversary 


Potential Action 
Likelihood (H, M, L) 












Theft 












Sabotage 












Othfir 












Motivation (H, M, L) 












Ideological 












Economic 












Personal 












Capabilities 












Number 












Weapons 












Equipment and tools 












Transportation 












Technical experience 












Insider assistance 
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Insider Table. 


Insider 


Access to Asset 
(often, seldom, 
never) 


Access to PPS 
(often, seldom, 
never) 


Theft 

Opportunity 
(H, M, L) 


Sabotage 
Opportunity 
(H, M, L) 


Collusion 
Opportunity 

(H, M, L) 















































































































































































































Appendix B 

EASI Model 



The EASI method calculates the probabil- 
ity of interruption of an adversary action 
sequence aimed at theft or sabotage. This 
is the probability that the response force 
will be notified when there is sufficient 
time remaining in the sequence for the 
force to respond. The notification of 
the response force is called an alarm, 
and the probability of alarm is: 

P(A) = P(D) P(C) 

where P(D) = probability of detection and 
P(C) = probability of communication to 
the response force. 

In the case of a single detection sensor 
(or other possible means of detection), 
the probability of an adversary action 
sequence interruption is given by: 

P(I) = P(R I A) P(A) 

where P(R I A) = probability of response 
force arrival prior to the end of the adver- 
sary's action sequence, given an alarm. 

An adversary action sequence takes 
place along a path consisting of a starting 
point, a sequence of detection sensors, 
transit and barrier delays, and a terminal 
point. The transits and barriers can be 
thought of as tasks the adversary must 



perform. Current versions of EASI allow 
specification of where the detection 
sensors are located with respect to the 
task delays — before, after, or during the 
task delay. 

If TR is the time remaining for the 
adversary to reach the terminal point 
when a sensor activates, and RFT is the 
response time of the security force, then 
for adversary interruption it is necessary 
that 

TR - RFT > 

The random variables TR and RFT are 
assumed to be independent and normally 
distributed* and thus the random variable 

X = TR - RFT 

is normally distributed with mean 

K, = E(TR - RFT) = E(TR) - E(RFT) 

variance 

c 2 x = Var(TR - RFT) = Var(TR) + Var(RFT) 



* The normal distribution requirement may be 
approximated by letting TR and RFT be sums 
of random variables which satisfy the condi- 
tions of the Central Limit Theorem. 
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and 



P(R|A) = P(X>0) 
7 1 



V2 



KOI 



-exp 



(x-/Jj" 
2o: 



dx 



In EASI, P(R | A) is approximated using 
the NormSDist function found in Excel®. 
Because the method is concerned with 
the time remaining in the sequence, 
evaluation of E(TR) and E(RFT) at point 
p along a path of interest must be with 
respect to the terminal point. The pene- 
tration time through each barrier and 
the transit time between barriers are con- 
sidered to be random variables with 
values corresponding to the level of 
adversary resources. Then, the expected 
time from any point p to the terminal 
point n is 

E(TR) at point P = E(Time After 
Detection at point p)+ X E(T;) 



i=p+l 



where 



E(Tj) = the expected time to perform 
Task i 

and 

E(Time After Detection at point p) = 
E(T) if detection is at the beginning (B) 
E(Tj)/2 if detection is in the middle (M) 
if detection is at the end (E). 

Assuming each task to be independent, 
the variance of the path time remaining 
between point p and the terminal point 
n is 

Var(TR) at point p = Var(Time After 

n 

Detection at point p) + X Var(Tj) 
h=p+i 



Var(T)/4 if detection is in the middle 

(M) 
if detection is at the end (E). 

For two or more sensors the conditional 
probability of response force arrival, 
P(R|A), for each sensor must be calcu- 
lated as previously described. Then the 
formula for P(I), the cumulative probabil- 
ity of sequence interruption calculated 
along the adversary's path from the start- 
ing point, must consider detection at the 
first location, at the second, and so on. For 
example, for a path with two detection 
locations: 

P(I) = PfA^PtCJ* PCRlAJ + 

(1 - P(D 1 ))*P(D 2 )*P(C 2 )*P(RlA 2 ) 

Notice that PfCJ is included in the first 
term but not the second. This is because 
if we do detect at the first location, but do 
not communicate to the response force 
based on that detection (due to jamming, 
etc.), we will probably not get a second 
chance to communicate at the second 
location just by the virtue of being 
detected there. (The probability of this 
event is P(DJ*(1 - Pfcj), which repre- 
sents the difference between P(D 1 )*P(C 1 ) 
in the first probability term and PfDJ used 
in the first part of the second probability 
term in (8).) 

The general formula for P(I) based on 
similar reasoning is 

P(I) = P(D 1 )*P(C,)*P(R|A 1 ) 
+ 5>(R|A i )P(C i )P(D i )fla- p (E>i)) 



1=1 



(9) 



(7) 



where 



Var(Time After Detection at point p) = 
Var(TJ if detection is at the beginning 
(B) 



Additional Notes on EASI 
Excel Model 



The next pages are printouts of the Excel 
model. This can be used to create the 
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application if the user has no Internet 
access to download the model. The EASI 
computer model in Excel exists as an 
excel worksheet with embedded macros. 
Due to the presence of the macros, when 
the file is first opened an alert warning of 
possible virus infection may be presented. 
Choose "Enable macros" to continue 
running the file. The following instruc- 
tions can be used to re-enter the necessary 
information to build the EASI file. The file 
is comprised of three tabs — the user 
interface (XL Easi), the calculations 
(EASI2.XLS), and the macro (EASIO. 



XLM). Questions concerning the creation 
of a worksheet file in Excel may require 
use of the Excel Users Manual. The bold 
letters and numbers in the first column 
and row of each table represent column 
and row numbers in Excel. 

The first tab in the Excel file (XL Easi) 
is a table formatted to look like Figures 
14.4 through 14.9. This can be formatted 
using whichever font or line widths 
desired, but the data must reside in the 
appropriate column/row. The data inside 
the table (columns D through G, rows 
9-20) is entered for a specific path. 



l 

2 

3 

4 

s 

6 

7 
» 
8 
10 

11 

12 
13 

14 
15 
16 

17 
18 
19 

20 
21 

22 

23 



Estimate of 
Adversary 
Sequence 
Interruption 



Probability of 

Guard 

Communication 



0.95 



Response Force Time (in Seconds) 
Mean Standard Deviation 



300 



90 



Task 


Description 


P(Detection) 


Location 


Delays (in 
Mean: 


Seconds): 

Standard Deviation 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 


Cut Fence 





B 


10 


3 


Run to Building 





B 


12 


3.6 


Open Door 


().') 


B 


90 


27 


Run to Vital Area 


() 


B 


10 


3 


Open Door 


0.9 


B 


90 


27 


Sabotage Target 


() 


B 


120 


36 































































U;!y gf Inters |j tton: 



0.4760407701 



Second tab (EASI2.XLS): 

All of the information must appear exactly as shown, in the appropriate cell. 
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1 
2 

a 

4 

s 

(i 

7 

8 

9 

10 
11 
12 
13 
14 
13 
16 
17 
18 
19 
20 



1 
PC ='XL Easi'!D5 



'XL Easi 
'XL Easi 
;'XL Easi 
:'XL Easi 
:'XL Easi 
;'XL Easi 
:'XL Easi 
:'XL Easi 
'XL Easi 
:'XL Easi 
'XL Easi 
:'XL Easi 



!D9 

!D10 

!D11 

!D12 

!D13 

!D14 

!D15 

!D16 

!D17 

!D18 

!D19 

!D20 



'XL Easi 
'XL Easi 
'XL Easi 
'XL Easi 
'XL Easi 
'XL Easi 
:'XL Easi 
'XL Easi 
'XL Easi 
'XL Easi 
'XL Easi 
:'XL Easi 



E9 

E10 

Ell 

E12 

E13 

E14 

E15 

E16 

E17 

E18 

E19 

E20 



:'XL Easi'!F5 



mean 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 
='XL Easi' 



F9 

F10 

Fll 

F12 

F13 

F14 

F15 

F16 

F17 

F18 

F19 

F20 



='XL Easi'!G5 



sdev 
='XL 
='XL 
='XL 
='XL 
='XL 
='XL 
='XL 
='XL 
='XL 
='XL 
='XL 
='XL 



Easi' 
Easi' 
Easi' 
Easi' 
Easi' 
Easi' 
Easi' 
Easi' 
Easi' 
Easi' 
Easi' 
Easi' 



G9 

G10 

Gil 

G12 

G13 

G14 

G15 

G16 

G17 

G18 

G19 

G20 



pad 

=SB$5*B9 

=SB$5*B10 

=$B$5*B11 

=SB$5*B12 

=$B$5*B13 

=$BS5*B14 

=SB$5*B15 

=$B$5*B16 

=$B$5*B17 

=$B$5*B18 

=$B$5*B19 

=$B$5*B20 



1-pd 

=1-F9 

=(1-F10)*G9 

=(1-F11)*G10 

=(1-F12)*G11 

=(1-F13)*G12 

=(1-F14)*G13 

=(1-F15)*G14 

=(1-F16)*G15 

=(1-F17)*G16 

=(1-F18)*G17 

=(1-F19)*G18 

=(1-F20)*G19 



H 



K 



1 

2 
3 
4 
5 


dddd 








6 

7 
8 


P(flrst detn) 


cum delays 


Cum Var 


T^ue Mean 


9 


=F9 


=D9+I10 


=(E9*E9)+J10 


=IF(C9="B",D9,IF(C9="M' 


10 


=F10*G9 


=D10+I11 


=(E10*E10)+J11 


=IF(C10="B",D10,IF(C10= 


11 


=F11*G10 


=D1 1+112 


=(Ell*Ell)+J12 


=IF(C1 1="B " ,D1 1 ,IF(C1 1= 


12 


=F12*G11 


=D12+I13 


=(E12*E12)+J13 


=IF(C12="B",D12,IF(C12= 


13 


=F13*G12 


=D13+I14 


=(E13*E13)+J14 


=IF(C13="B",D13,IF(C13= 


14 


=F14*G13 


=D 14+11 5 


=(E14*E14)+J15 


=IF(C14="B",D14,IF(C14= 


IS 


=F15*G14 


=D15+I16 


=(E15*E15)+J16 


=IF(C1 5="B " ,D1 5 ,IF(C1 5= 


18 


=F16*G15 


=D16+I17 


=(E16*E16)+J17 


=IF(C16="B",D16,IF(C16= 


17 


=F17*G16 


=D17+I18 


=(E17*E17)+J18 


=IF(C17="B ",D1 7,IF(C1 7= 


18 


=F18*G17 


=D18+I19 


=(E18*E18)+J19 


=IF(C18="B",D18,IF(C18= 


19 


=F19*G18 


=D1 9+120 


=(E19*E19)+J20 


=IF(C19="B",D19,IF(C19= 


20 


=F20*G19 


=D20 


=E20*E20 


=IF(C20="B " ,D20,IF(C20= 



,0.5*D9,0))+I10 

'M",0.5*D10,0))+I11 

'M",0.5*D11,0))+I12 

'M",0.5*D12,0))+I13 

'M",0.5*D13,0))+I14 

'M",0.5*D14,0))+I15 

'M",0.5*D15,0))+I16 

'M",0.5*D16,0))+I17 

'M",0.5*D17,0))+I18 

'M",0.5*D18,0))+I19 

'M",0.5*D19,0))+I20 

'M",0.5*D20,0)} 
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M 



1 
2 
3 
4 
5 
6 
7 
8 
9 

10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 



True Var z-values 

=IF(C9="B",E9*E9,IF(C9="M",0.25*E9*E9,0))+J10 =(K9-SD$5)/SQRT(L9+$E$5*$E$5) 

=IF(C10="B",E10*E10,IF(C10="M",0.25*E10*E10,0))+JU =(K10-$DS5)/SQRT(L10+$E$5*$E$5) 

=IF(C11="B",E11*E11,IF(C11="M",0.25*E11*E11,0))+J12 =(Kll-$DS5)/SQRT(Lll+$E$5*$E$5) 

=IF(C12="B",E12*E12,IF(C12="M",0.25*E12*E12,0))+J13 =(K12-SD$5)/SQRT(L12+SE$5*SES5) 

=IF(C13="B",E13*E13,IF(C13="M",0.25*E13*E13,0))+J14 =(K13-SD$5)/SQRT(L13+$E$5*SE$5) 

=IF(C14="B",E14*E14,IF(C14="M",0.25*E14*E14,0))+J15 =(K14-$D$5}/SQRT(L14+SE$5*SES5) 

=IF(C15="B",E15*E15,IF(C15="M",0.25*E15*E15,0))+J16 =(K15-$D$5)/SQRT(L15+$E$5*SE$5) 

=IF(C16="B",E16*E16,IF(C16="M",0.25*E16*E16,0))+J17 =(K16-$D$5)/SQRT(L16+SE$5*SES5) 

=IF(C17="B",E17*E17,IF(C17="M",0.25*E17*E17,0))+J18 =(K17-$D$5}/SQRT(L17+SE$5*SES5) 

=IF(C18="B",E18*E18,IF(C18="M",0.25*E18*E18,0))+J19 =(K18-$D$5)/SQRT(L18+SES5*SES5) 

=IF(C19="B",E19*E19,IF(C19="M",0.25*E19*E19,0})+J20 =(K19-$D$5)/SQRT(L19+SE$5*SES5) 

=IF(C20="B",E20*E20,IF(C20="M",0.25*E20*E20,0)} =(K20-$D$5)/SQRT(L20+SES5*SES5) 



N 



O 



1 

2 
3 
4 
5 
6 
7 
8 


Normal values 




prod h?*n? 


9 


=EASI2.XLS!fornorm 


a(M9) 


=H9*N9 


10 


=EASI2.XLS!fornorm 


_a(MlO) 


=H10*N10 


11 


=EASI2.XLS!fornorm 


_a(Mll) 


=Hll*Nll 


12 


=EASI2.XLS!fomorm 


_a(M12) 


=H12*N12 


13 


=EASI2.XLS!fornorm 


_a(M13) 


=H13*N13 


14 


=EASI2.XLS!fornorm 


_a(M14) 


=H14*N14 


15 


=EASI2.XLS!fomorm 


_a(M15) 
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The terms in this glossary were derived from physical protection training material pre- 
pared at Sandia National Laboratories. In addition to the security terms included in this 
glossary, many other terms common to other specialized fields have been added. 



acceptance testing: performance of all 
necessary testing to demonstrate that 
installed equipment will operate satis- 
factorily and safely in accordance with 
the design plans and specifications. 

access control: process of managing data- 
bases or other records, and determining 
the parameters of authorized entry, such 
as who or what will be granted access, 
when they may enter, and where access 
will occur. 

access control measures: hardware and 
software features, physical controls, 
operating procedures, administrative 
procedures, and various combinations 
of these designed to detect or prevent 
unauthorized access to classified infor- 
mation, facilities, or materials, and to 
enforce utilization of these measures to 
protect security and property interests. 

access delay: See delay. 

AC&D: Alarm Communication and Dis- 
play. Refers to an integrated system of 
people, procedures, and equipment 



that collects alarm data and presents the 
information in a manner that promotes 
rapid assessment. 

acknowledge: to indicate the reception of 
an alarm signal. 

activated delay: any technique that de- 
lays an adversary and depends on a sen- 
sor to initiate the delay mechanism. 

activated denial: any technique that de- 
nies access to a target and depends 
on a sensor to initiate the denial 
mechanism. 

active: refers to a communication link 
that carries a continuous signal allow- 
ing immediate detection of a break in 
the link. 

active infrared sensor: an active in- 
trusion detection sensor that emits 
infrared light and detects blockage of 
light. 

active lines: scanning lines in the raster 
that contain video information. (See 
raster.) 

active sensor: an intrusion detection sen- 
sor that emits a signal from a trans- 
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mitter and detects changes in, or re- 
flections of, that signal by means of a 
receiver [see passive sensor). 

actual force: force consisting of a physi- 
cal act, especially a violent act directed 
against a robbery victim. 

actual threat: a credible situation or val- 
idated information indicating that facil- 
ity interests are currently or will be at 
risk. 

adversary: a person performing malevo- 
lent acts in pursuit of interests harmful 
to the facility; an adversary may be an 
insider or an outsider. 

adversary action: a specific act per- 
formed by an adversary. 

adversary action sequence (action se- 
quence): a required/ordered series of 
acts performed by an adversary to 
achieve their objectives. 

adversary capabilities: attributes of the 
adversary, such as knowledge, moti- 
vation, and access to equipment that 
comprise a measure of his or her 
abilities. 

adversary class: adversaries are general- 
ly classed as insiders or outsiders, de- 
pending on whether they are working 
inside a facility or must start an action 
sequence from the outside. 

adversary neutralization (neutralization): 
the termination by the facility guard 
force of an attack such that the adver- 
sary is captured, killed, or forced to 
flee. 

adversary path: an ordered collection of 
actions against a target that, if com- 
pleted, results in successful theft or 
sabotage. 

adversary sequence modeling (sequence 
modeling): using an analytical model 
to estimate the probability of success of 
an adversary along a specific path or 
set of paths. 

adversary task: a specific act the adver- 
sary must perform in order to advance 
along a path; for example, penetrate a 
barrier, travel a certain distance, etc. 

AFC: Automatic Frequency Control (us- 
ually video/CCTV). An AFC circuit 



is used to maintain an oscillator at a 
specified frequency. 

AGC: Automatic Gain Control (usually 
video/CCTV). An AGC circuit is used to 
maintain an output signal at a constant 
level over a limited range of input 
signal levels. 

alarm: a warning from a sensor or sensor 
system that a sensor has been triggered 
or activated, usually signaled by light or 
sound; it may indicate a nuisance or 
false alarm, or a valid alarm. 

alarm assessment: process of determin- 
ing an alarm condition status; appraisal 
of the credibility, reliability, pertinence, 
accuracy, or usefulness of an indicated 
alarm. 

alarm priority scheme: a technique or 
presentation for dealing with alarms 
from a combination of sensors in a 
logical order. Alarm presentation 
sequence based on importance or 
seriousness of alarm. 

alert: communication that informs all 
security personnel of a facility emer- 
gency and of the location of the 
emergency. 

analog signal: a signal that attains an infi- 
nite number of different amplitude 
levels, as opposed to one that can attain 
only a finite number of levels as a func- 
tion of time. [See also digital signal.) 

angular field of view: the measure of the 
field of view of a lens or surveillance 
camera/lens combination expressed in 
degrees. [See field of view.) 

annunciator: an electrically controlled 
signal board or indicator primarily 
used for alarm presentation to guard 
forces. 

aperture: the lens opening that deter- 
mines the amount of light that will pass 
through the lens and onto the image 
plane. 

ASD: Adversary Sequence Diagrams. A 
means of graphically displaying paths 
that an adversary might take to accom- 
plish his or her objective. 

assess: to determine the validity and 
response to an alarm signal. 
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assessment: the determination of the 
cause of an alarm and information 
regarding the threat. 

assessment zone: the volume of space in 
which assessments are possible. 

attack: an attempt by an adversary to 
defeat the physical protection system 
and achieve his or her objectives. 
Attack tactics include force, deceit, and 
stealth, used singly or in combination. 

authentication code: a code known only 
to members of the response force. It can 
be used to verify that a critical or ques- 
tionable transmission was made by a 
member of the force. 

auto-iris lens: a lens whose aperture is 
controlled by monitoring the video 
signal amplitude and automatically 
adjusting the iris to maintain a constant 
video amplitude output. 

automated access control system: elec- 
tronic or electromechanical system 
used to authorize movement of person- 
nel, vehicles, or material through 
entrances and exits of a secured areas. 
Authorization is obtained by the user 
entering personal identification infor- 
mation (i.e., through magnetic or prox- 
imity cards, personal identification 
number, or biometric scan), a compu- 
ter comparison of identification data 
against an authorized user list, and 
computer activation of the portal 
unlock mechanism if the requester is 
authorized access. 

B 

background noise: the total system noise, 
independent from the presence or 
absence of a signal. The signal is not 
included as part of the noise. 

balanced line: a video transmission line 
whose impedance to ground from either 
side is equal, usually 124 ohms in video 
transmission systems. 

bandsp lit ting (frequency scrambling): 
a common analog voice-scrambling 
technique that involves partitioning 
of an audio channel into several 
separate frequency bands that are 



then transposed or interchanged before 
transmission. 

biometric device: automatic device that 
can verify an individual's identity from 
a biological measurement of a feature. 

bistatic: refers to an active intrusion 
detection sensor in that the transmit- 
ter and the receiver are not collocated 
in the same unit. (See monostatic.) 

blackmail: extortion by threats, espe- 
cially of public exposure or criminal 
prosecution. 

blinding: the reduction of scene informa- 
tion as the result of relatively high light 
levels entering the lens. The camera 
lens opening will be determined by the 
higher light levels, and will close down. 
Information in darker areas of the scene 
will be lost. 

blooming: the loss of detail in regions 
of the video picture due to enlargement 
of an intense and excessively bright 
spot being displayed on the fluores- 
cent screen of the cathode-ray picture 
tube; also, charge migration on video 
camera imagers from high illumination 
sources. 

BMS: Balanced Magnetic Switch. An 
intrusion sensor usually used to in- 
dicate a door opening. The switch is ac- 
tivated by the movement of a magnet 
mounted on the door. 

bridging (or looping) input: a high 
impedance intermediate termination of 
a signal line at the input of an amplifier, 
monitor, or video switcher where the 
signal line must continue on to other 
equipment. In video equipment, all 
outputs have a characteristic imped- 
ance of 75 ohms. The bridging (or 
looping) high impedance input allows 
several pieces of equipment to use a 
common video signal without signifi- 
cant loss of signal amplitude. The last 
input in a single video line must be 
terminated in 75 ohms. 

brightness (luminance): the attribute of 
visual perception in which an area 
appears to reflect or emit light, mea- 
sured in foot-lamberts. 



broadband: wide bandwidth transmis- 
sion system with a single carrier 
and multiple information channels; it 
can be fiber-optic or RF (radiated or 
on cable). 

broadband jamming: simultaneous jam- 
ming of many adjacent frequencies by 
one high-power jamming signal. 

buffer: a data area shared by hardware 
devices or program processes that 
operate at different speeds or with dif- 
ferent sets of priorities. The buffer 
allows each device or process to operate 
without being held up by the other. In 
order for a buffer to be effective, the size 
of the buffer and the algorithms for 
moving data into and out of the buffer 
need to be considered by the buffer 
designer. Like a cache, a buffer is a 
"midpoint holding place" but exists not 
so much to accelerate the speed of an 
activity as to support the coordination 
of separate activities. 

buried-line sensor: a passive intrusion 
detection sensor that employs a buried 
transducer to detect seismic and/or 
magnetic disturbances. 

burn? r I-in image: an image that persists 
in a fixed position in the output signal 
of a camera tube after the camera has 
been turned to a different scene. 

bypass: a sensor defeat mode in which 
an intruder defeats a sensor by avoid- 
ing its detection zone or detection 
method. 



CCD: Charge-Coupled Device. A semi- 
conductor device that is used especially 
as an optical sensor and that stores 
charge and transfers it sequentially to 
an amplifier and detector. 

CCTV: Closed Circuit Television. A tele- 
vision system in which the signal dis- 
tribution is limited or restricted, 
usually by cable. 

Classification: the positive assessment 
that a detected object is human, animal, 
or some other object. (See detection and 
identification.) 



clear-voice: normal radio transmissions 
that have not been scrambled or 
encoded. [See also voice privacy.) 

clear zone: an area within the storage 
site perimeter and around the boundary 
of the storage site free of all obstacles, 
topographical features, and vegetation 
exceeding a specified height. The zone 
is designed to facilitate detection and 
observation of an intruder, to deny 
protection and concealment to an 
intruder, to maximize effectiveness of 
the security force, and to reduce the 
possibility of a surprise attack. [See 
isolation zone.) 

coaxial cable (coax): a cable consisting of 
a single conductor surrounded by, and 
insulated from, a metallic shield, used 
for the transmission of video baseband 
and high-frequency signals. 

coercivity: the measure of the resistance 
of a magnetic material to changes in the 
stored information when exposed to a 
magnetic field. The coercivity is defined 
as the magnetic intensity of an applied 
field required to change the informa- 
tion. The unit of magnetic intensity 
used to describe the coercivity is the 
oersted. 

collusion: secret agreement between two 
or more persons for a fraudulent, 
deceitful, illegal, or malevolent 
purpose. 

common mode: pertaining to signals or 
signal components that are identical in 
amplitude, duration, and time; in an 
operational amplifier, characteristics 
denoting amplifier performance when a 
common signal is applied to inverting 
and noninverting inputs. 

communication: the function of transmit- 
ting or interchanging information, 
including both transmission of alarm 
signals to a central processing station 
and transmission of response informa- 
tion to security personnel. 

communications system: the equip- 
ment and procedures used by the 
security force for sending and receiv- 
ing messages. 
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complementary sensors: sensors se- 
lected for combination because of 
their capabilities of mutually providing 
what the other lacks in terms of proba- 
bility of detection, nuisance alarm rate, 
and/or vulnerability to defeat. Multiple 
sensors will use different detection 
technologies. 

containment: physical barriers, such as 
walls, transport flasks, containers, ves- 
sels, etc., that in some way physically 
restrict or control the movement of or 
access to nuclear material, to infor- 
mation related to the quantities or loca- 
tions of nuclear material, and to IAEA 
(International Atomic Energy Agency) 
surveillance devices. 

continuous detection: for a protected 
perimeter, no detection gaps occur 
in the detection zones of any of the sen- 
sor lines included in the perimeter 
subsystem. 

contraband: materials such as firearms, 
explosives, or special nuclear material 
that are not permitted to enter or to 
leave a particular area; unauthorized 
material or material that could be 
used for sabotage, such as SNM (spe- 
cial nuclear material), shielded SNM, 
weapons, explosives, narcotics, gold, 
and/or currency. 

contrast: the ratio of light and dark por- 
tions of a video picture. 

control track: for videotape recorders, 
the area on the tape containing a record- 
ing used by a servomechanism primar- 
ily to control the longitudinal motion of 
the tape during playback. 

covert sensor: an intrusion detection 
sensor that is hidden from view, such as 
a sensor buried in the ground, and that 
does not radiate any signal detectable 
from outside of the perimeter. [See 
visible sensor.) 

CPU: central processing unit; the micro- 
processor in computers that provides 
the computing power. 

crawling: the physical act of entering and 
leaving a detection zone by lying prone 
to the ground and moving at an approx- 



imate velocity of 0.1 meter per second 
through the zone while maintaining a 
low profile. 

crawl test: crawling through an intrusion 
sensor's expected detection zone to 
help determine whether or not it is 
functioning properly is called a crawl 
test. [See detection zone.) 

crossover: the point at which the center- 
lines of two overlapping microwave 
sensor beams intersect. 

Cross-talk: undesired transfer of signals 
between systems or parts of a system. 

CRT: Cathode Ray Tube. A display tube 
used in television sets and CCTV 
monitors. 

D 

deadly force: force that a reasonable 
person would consider likely to cause 
death or serious physical injury, which 
could lead to death. 

dead spot: gap in communication system 
coverage, especially radio coverage. 

dead time: the length of time between 
two successive uses of the line by a par- 
ticular sensor in a time-division, multi- 
plexed sensor system. 

deceit: attempt to defeat a security system 
using false identification or authoriza- 
tion. 

deception: the transmission of mislead- 
ing messages by an adversary attempt- 
ing to confuse or deceive. 

decoder: in communications, decoding is 
the use of an inverse algorithm of the 
one used for encoding a communica- 
tions message to obtain the original 
message. 

defeat: to prevent someone from accom- 
plishing their goal. Also the act of 
bypassing a sensor or system of access, 
personnel, or material control within 
the facility. 

delay: the element of a physical protec- 
tion system designed to impede adver- 
sary penetration into or exit from the 
protected area. 

denial: the effect achieved by safeguards 
and security systems or devices that 



impedes or hinders a potential intruder 
or adversary from gaining access to or 
use of a particular space, structure, or 
facility. 

deployment: the actions of the protective 
force from the time communication is 
received until the force is in position to 
neutralize the enemy. 

depth of field: the maximum distance 
from a CCTV camera lens that two 
objects may be separated in a given lens 
field of view and still maintain accept- 
able image focus for both objects. 

detection: determining that an unautho- 
rized action has occurred or is occur- 
ring; detection includes sensing the 
action, communicating the alarm to 
a control center, and assessing the 
alarm. Detection is not complete with- 
out assessment. 

detection and assessment: the element of 
a physical protection system designed 
to discover and to verify unauthorized 
intrusion attempts. 

detection zone: a volume of space or 
surface area under the surveillance of 
one or more intrusion detection devices 
from which an alarm is produced when 
the volume or surface area is subject to 
a condition for an alarm. 

deterrence: discouraging an adversary 
from attempting an assault by making a 
successful assault appear very difficult 
or impossible. 

digital encryption: the conversion of the 
analog voice signal to a digital signal in 
the system transmitter, and the encod- 
ing of each bit of the digital data stream 
according to an algorithm dependent 
upon a pseudorandom code sequence 
generated within the transmitter. 

digital signal: a radio signal made up of a 
series of digital pulses produced by 
pulses of one current or voltage value. 
[See also analog signal.) 

disgruntled employee: an employee who 
is very dissatisfied and thus a potential 
insider adversary. 

distribution amplifier: a wideband am- 
plifier having a single input and 



several impedance-matched outputs for 
driving multiple signal lines. Distribu- 
tion amplifiers can be used for video or 
sync signals. 

diversion (divert): an attack, or feint, that 
draws the attention and force of an 
enemy from the point of the principal 
operation. 

Doppler effect: the apparent change in 
the frequency of sound or electromag- 
netic energy, due to the motion of the 
object emitting or reflecting sound or 
electromagnetic energy. 

due diligence: (1) The diligence reason- 
ably expected from, and ordinarily 
exercised by, a person who seeks to 
satisfy a legal requirement or to dis- 
charge an obligation. Also termed 
reasonable diligence. (2) Corporations 
and Securities: a prospective buyer's 
or broker's investigation and analysis 
of a target company, a piece of prop- 
erty, or newly issued security. A fail- 
ure to exercise due diligence may some- 
times result in liability, as when a 
broker recommends a security without 
first investigating it adequately. 

duress: a condition characterized by a 
forcible restraint of liberty, imprison- 
ment, constraint, or compulsion. 

duress alarm: an alarm initiated by a 
security operator to signal a physical 
attack or other serious problem. 

duress code: a prearranged word, group 
of words, phrase, or other signal 
(normally aural) that covertly indi- 
cates to a knowledgeable person (e.g., 
guard or alarm console operator) 
that the individual is under some 
form of coercion and is acting 
unwillingly. 

duress system: a system that can covertly 
communicate a response requirement to 
a security control center or to other per- 
sonnel who can then notify a security 
control center. 

dynamic: refers to an active communica- 
tion link that generates a continually 
changing signal to represent the secure 
condition. 



Glossary 



293 



EASI: Estimate of Adversary Sequence 
Interruption. A dynamic analytical com- 
puter model. 

eavesdropping: an adversary's unautho- 
rized monitoring of information carried 
over a radio network. 

ECD: Electron Capture Detector. A pas- 
sive explosives vapor detector. 

effectiveness evaluation: an analysis of 
the capability of a physical protection 
system to defeat an attack. 

electric-field sensor: an active intrusion 
detection sensor that generates an elec- 
tric field and senses changes in capaci- 
tance caused by an intruder. 

element: a distinct part of a physical pro- 
tection system. 

embezzlement: stealing of money or 
property by an employee to whom it has 
been entrusted. 

EMI: Electromagnetic Interference. Dis- 
turbances of equipment operation 
caused by electromagnetic fields 
from outside sources. 

encryption: in digital communications, 
encoding an intelligible binary data 
stream to prevent unauthorized eaves- 
dropping of radio transmissions. 

end event: the uppermost gate or event of 
a logic diagram; a gate that does not 
input to another gate; the ultimate 
objective of an adversary in a sabotage 
or theft fault tree. 

enhancement: change or modification to 
a system that improves its operation 
performance (i.e., by reducing either 
risk or cost). 

entry control: the physical equipment 
and procedures used to verify access 
authorization and to detect contraband; 
part of the physical protection function 
of detection. 

entry control point: entrance to a site or 
secured area at that access is controlled 
and egress is allowed. 

equalization: the process of correcting for 
transmission line losses of the fre- 
quency characteristics of an electronic 
signal. 



equalizer: an electronic device used 
to compensate for low- and high- 
frequency losses through a transmis- 
sion system. 

equalizing pulses: pulses used to main- 
tain horizontal sync in interlaced scan- 
ning that occur at twice the horizontal 
scan rate. 

escort: an authorized individual assigned 
the responsibility to accompany per- 
sons who lack need to know or access 
authorization within a security area in 
order to ensure adherence to security 
measures. 

event: an act against a physical protection 
system that an adversary must perform 
to achieve his or her objective. 

excessive force: unreasonable or unnec- 
essary force under the circumstances. 

explosives detector: a device capable 
of detecting the presence of certain 
types of explosives. Two types of 
explosives detectors are: (1) Ion mobil- 
ity spectrometer, which is capable of 
detecting all types of nitrated ex- 
plosives, and (2) Gas chromatograph- 
electron capture detector, which is 
capable of detecting all of the nitrated 
commercial explosives, including TNT. 

extortion: stealing money or property by 
force or threat, such as blackmail. 



facility: a plant built or established to 
serve a particular purpose. 

facility characterization (characteriza- 
tion): describing, listing, or drawing 
the major parts of a facility. 

fail-safe: systems that fail or lose power 
in such a way as to protect an asset. 
(See fail-soft.) 

fail-soft: the capability of a physical 
protection system to operate, perhaps 
in a reduced capacity, during a failure 
of some element in the system. (See 
fail-safe.) 

false alarm: alarm caused by internal 
equipment malfunction; since false 
alarms have no readily discernible 
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cause, they actually are unknown 
alarms. A subset of nuisance alarms. 

false arrest: an arrest made without 
proper legal authority. 

false imprisonment: a restraint of a 
person in a bounded area without justi- 
fication or consent. False imprisonment 
is a common-law misdemeanor and a 
tort. It applies to private as well as gov- 
ernmental detention. 

FAR: False Alarm Rate. [See false alarm.) 

far-field: refers to the far edge of an 
assessment or detection zone. In alarm 
assessment, the far field is the resolu- 
tion-limited field of view. 

feature criteria approach: definition of a 
physical protection system in terms of 
the features or elements (such as sensor 
systems) it must contain. [See perfor- 
mance criteria approach.) 

field: the video produced in one vertical 
scan of the camera imager or monitor 
that consists of 262.5 horizontal scan 
lines in U.S. television systems. Two 
fields are required to form a single video 
frame. 

field frequency: the rate at which video 
fields are created, nominally 60 times 
each second in U.S. television systems. 

field of view: the area visible through the 
lens of an optical instrument. [See 
linear field of view and angular field of 
view.) 

FL: Focal Length. The distance from the 
optical center of a simple lens to the 
plane of focus and which is indicative 
of the image size produced. 

flare: light reflections from polished or 
shiny surfaces. Such reflections appear 
as bright areas in a video image. 

float-charging (trickle-charging): contin- 
uous slow-charging of a storage battery 
in that the charging rate is just sufficient 
to compensate for internal losses or 
normal discharge. 

f-number: the ratio of the focal length to 
the clear aperture in a lens, expressed 
in the form f/1.8. 

foot-candle (fc): the unit of illuminance 
when the foot is taken as the unit of 
length. It is the illuminance on a surface 



one square foot in area on which there 
is a uniformly distributed flux of one 
lumen, or the illuminance produced 
on a surface all points of which are at 
a distance of one foot from a direction- 
ally uniform point source of one 
candela. 

force: an overt attempt to overcome a 
security system by violence, compul- 
sion, or constraint. 

format: the size of the usable image in a 
TV camera or lens, or the system used 
to record video. 

frame: a single television picture, made 
up of two interlaced fields, occurring in 
1/30 of a second, and consisting of 525 
horizontal scanning lines (U.S. stan- 
dard). 

frame frequency: the rate at which a 
complete frame is scanned, nominally 
30 frames per second. 

freeze frame: to display a single frame of 
video continuously. 

f-stop: the lens designation indicating rel- 
ative diaphragm opening or aperture 
diameter. 

fullband jamming: a jamming signal with 
a bandwidth greater than or equal to the 
bandwidth of the signal being jammed. 

full duplex mode: refers to a transceiver 
function that allows receiving and 
transmitting simultaneously on two dis- 
crete frequencies. 



ghost: a spurious image displaced from 
the primary image caused by different 
arrival times of the signals. 

guards: the on-site facility security per- 
sonnel who comprise the response 
function in a physical protection 
system. 

H 

halo: most commonly, a dark area sur- 
rounding an unusually bright object, 
caused by overloading of the camera 
imager. Reflection of lights from a bright 
object might cause this effect. 

hardened container: container, used for 
transportation, of such strength and 
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durability as to provide protection to 
prevent items from breaking out of 
the container and to facilitate the de- 
tection of any tampering with the 
container. 

hardening: enhancing a wall or door to 
make it more difficult to penetrate. 

hoax: a false claim. 



identification: the positive assessment of 
a recognized object as a specific person, 
animal, or thing. 

illuminance: the density of the luminous 
flux incident on a surface. 

impostor: an adversary who deceives by 
using an assumed name or identity 

impostor pass rate: the rate at which 
persons with false credentials are 
allowed to pass through an entry- 
control portal. Also called false accept 
rate. 

IMS: Ion Mobility Spectrometer. A 
time-of-flight mass spectrometer that 
measures the mobility of ions at 
atmospheric pressure; a passive ex- 
plosives vapor detector. 

infrared: light or energy in that portion of 
the electromagnetic spectrum having a 
longer wavelength than visible light. 
Many CCTV cameras have considerable 
sensitivity to energy in the shorter 
wavelengths of this region. 

insider: a person who, by reason of offi- 
cial duties, has knowledge of operations 
and/or security system characteristics, 
and/or position that would significantly 
enhance the likelihood of successful 
bypass or defeat of positive measures 
should that person attempt such an 
action. 

intercom: intercommunication system; a 
two-way communication system with a 
microphone and loudspeaker at each 
station for localized use. 

interlaced scanning (interlace): a process 
of interweaving two separate fields of 
video information to form a single 
video frame. 

interruption: stopping the progress of the 
adversary by the response force. 



invasion of privacy: an unjustified ex- 
ploitation of one's personality or in- 
trusion into one's personal activity, 
actionable under tort law and some- 
times under constitutional law. The 
four types of invasion of privacy in tort 
are (1) an appropriation, for one's 
benefit, of another's name or likeness; 
(2) an offensive, intentional interfer- 
ence with a person's seclusion or 
private affairs; (3) the public disclosure, 
of an objectionable nature, of private 
information about another; and (4) the 
use of publicity to place another in a 
false light in the public eye. 

IR: See Infrared. 

iris (camera): the adjustable opening that 
controls the amount of light exiting a 
lens. Its diameter controls both the 
amount of light used to excite the 
imager and the depth of field. 

iris (eye): the colored portion of the eye 
that opens and closes to regulate the 
amount of light allowed into the eye. 

isolation zone: restricted access area sur- 
rounding a facility that has been cleared 
of any objects that could conceal vehi- 
cles or individuals and affords unob- 
structed observation or the use of other 
means for detection of entry into the 
area. (See clear zone.) 

J 

jamming: an adversary's attempts to 
prevent radio communications through 
physical destruction of communica- 
tions equipment or through transmis- 
sion of a disruptive radio signal. 

jamming geometry: the geometrical rela- 
tionship between the jammer and the 
radio units in the system being jammed. 

K 

K-band: the 11 to 36 GHz band of 
frequencies. 



lag: a result of imager persistence, 
usually expressed as a percentage of 
signal remaining three fields (50 mil- 
liseconds) after the signal has been 
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removed. Lag produces image smearing 
and resolution loss when relative 
motion exists between camera and 
scene. 

land line: a hard-wired communications 
line, such as a telephone line. 

light level: the intensity of incident light 
measured in foot-candles or lux. 

linear field of view: the measure of the 
field of view of a lens or camera/lens 
combination expressing the width or 
height of the scene at a specified dis- 
tance, stated in meters (or feet). [See 
field of view.) 

line-of-sight sensor: an intrusion detec- 
tion sensor that requires a clear line 
of sight (LOS) in the detection space; 
an active LOS sensor requires a clear 
LOS between the transmitter and the 
receiver. [See terrain-following sensor 
and LOS.) 

line-lock: refers to a condition occurring 
when the vertical drive (vertical sync in 
video signal) is the same frequency as 
the power line. 

line sensor: an intrusion detection sensor 
that exhibits detection along a line. [See 
volumetric sensor.) 

line supervision: a means to monitor the 
integrity of communication lines. 

local communications: communications 
that transfer details and tactical infor- 
mation among security personnel once 
they have arrived at the location of an 
emergency. 

local threat assessment: threat assess- 
ment for a specific facility, operation, or 
geographical area. 

logic tree: a logic diagram that graphi- 
cally represents how a combination of 
events can end in a specific result. It is 
a technique used to describe the signif- 
icant ways an adversary can reach his 
or her objective by defeating the ele- 
ments of a physical protection system. 

loop: (1) a signal path; (2) an alarm 
communication and display term that 
refers to a series of multiplexers con- 
nected via dual communication paths 
to two microprocessors. 



LOS: Line of Sight. The distance over 
which a radio signal may be directly 
transmitted along the surface of the 
earth; radio LOS is usually greater than 
optical LOS. 

lossy: refers to a cable having high atten- 
uation per unit length; in the case of 
a ported coax sensor, attenuation is 
caused by cable leakage. 

lumen (lm): the photometric unit of 
radiant power. One lumen is the 
amount of luminous flux emitted into a 
solid angle of 1 steradian by a point 
source whose luminous intensity is 1 
candela. A steradian is a 3 -dimensional 
unit of measure for solid angles. It is a 
wedge of space that is a radian in 
angular measurement in the horizontal 
and vertical dimensions. 

Luminaire: a complete lighting unit con- 
sisting of a lamp or lamps together with 
the parts designed to distribute the 
light, to position and protect the lamps 
and to connect the lamps to the power 
supply. 

lux (lx): the metric unit of illuminance 
equal to 1 lumen incident upon 1 
square meter. One lux is equal to 0.0929 
footcandle. 

M 

magnetic buried-line sensor: a buried- 
line sensor that generates an electrical 
signal when ferromagnetic material 
passes near the transducer. 

magnetometer: a passive device that 
monitors the earth's magnetic field and 
detects changes to that field caused by 
the presence of ferromagnetic materials. 
This method detects only ferromagnetic 
materials (those that are attracted by a 
magnet). Materials such as copper, 
aluminum, and zinc are not detected. 

malevolent act: an illegal action, or an 
action that is committed with the intent 
of causing wrongful harm or damage. It 
includes trespass or theft; industrial 
sabotage; espionage; loss, compromise, 
or theft of classified matter or govern- 
ment property; vandalism; and adverse 
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impacts on the national security, 
program continuity, or health and safe- 
ty of employees, the public, or the 
environment. 

malevolent action: a deliberate action 
with intent to harm or destroy installa- 
tions or people. 

matching transformer: a passive device 
used to convert the impedance of a 
circuit to the impedance of a transmis- 
sion line or vice versa. 

metal detector: active device that gener- 
ates a varying magnetic field over a 
short period of time to detect the pres- 
ence of metals. These devices either 
detect the changes made to the field due 
to the introduction of metal to the field, 
or detect the presence of eddy currents 
that exist in a metallic object caused by 
a pulsed field. The magnitude of the 
metal detector's response to metallic 
objects is determined by several factors 
including the conductivity of the metal, 
the magnetic properties of the metal 
(relative permeability), object shape 
and size, and the orientation of the 
object within the magnetic field. 

microwave reflector: a planar metallic 
surface or grid designed for passive 
reflection of a microwave beam and 
used for the purpose of directing 
the beam. 

microwave sensor: an active intrusion 
detection sensor that transmits micro- 
wave signals and detects changes in the 
signal caused by a moving object. 

mitigating: reducing the severity or harsh- 
ness of a situation. 

monochrome signal: a television signal 
without color information. 

monostatic: refers to an active intrusion 
detection sensor in which the transmit- 
ter and the receiver are together, either 
the same or nearly coincident. [See 
bistatic.) 

multiplexer: a device that allows two 
or more signals to be transmitted 
simultaneously on a single carrier 
wave, communications channel, or 
data channel. 



multiplexing: a signaling method us- 
ing wire or radio characterized by the 
noninterfering transmission of more 
than one signal over a communication 
channel. 

N 

NAR: Nuisance Alarm Rate. The 
expected rate of alarms from an in- 
trusion detection sensor that can be 
attributed to known causes unrelated 
to intrusion attempts. 

negligence: the failure to exercise the 
standard of care that a reasonably 
prudent person would have exercised 
in a similar situation; any conduct that 
falls below the legal standard to protect 
others against unreasonable risk of 
harm, except for conduct that is inten- 
tionally, wantonly, or willfully disre- 
gardful of others' rights. The term 
denotes culpable carelessness. Also 
termed actionable negligence; ordi- 
nary negligence; simple negligence. 
Expressed in terms of the following 
elements: duty, breach of duty, causa- 
tion, and damages. 

neutralize: render ineffective or stop the 
actions of an adversary. 

nuisance alarm: an alarm that is not 
caused by an unauthorized action. For 
example, wind, snow, birds, or sys- 
tem malfunction may cause nuisance 
alarms. 

O 

offset: the distance on the ground surface, 
measured from either the transmitter or 
the receiver in the direction of the line 
of sight, in which an intruder can crawl 
under the beam of a microwave sensor 
undetected. 

off-site: the area outside the plant's or 
facility's land boundaries, not just exte- 
rior to the buildings. 

on-site: the area within the plant's or 
facility's land boundaries, not just inte- 
rior to the buildings. 

outriggers: the angled metal extensions at 
the top of a fence. 
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outsider: a person who does not have offi- 
cial business with the facility or has 
not been granted routine access to a 
program, operation, facility, or site; a 
person who is not authorized to enter 
a protected or vital area. 

overburden: a cover of dirt or rocks above 
a sensitive area to protect it from attack; 
access delay. 

overt: an action that is open and not con- 
cealed. An attack using explosives 
would be an overt attack. 



P D : probability of detection; the likeli- 
hood of detecting an adversary within 
the zone covered by an intrusion detec- 
tion sensor. 

Pj! cumulative probability of interrup- 
tion; the cumulative probability of 
detection from the start of an adversary 
path to the point determined by the 
time available for response (TR). 

P s : probability that an intrusion detection 
sensor will sense an unauthorized 
action. 

pan/tilt mount: an electromechanical 
device used for remote CCTV cam- 
era field-of-view positioning. 

passive: refers to a communication link 
that carries a signal only when an alarm 
occurs. 

passive infrared sensor: a passive in- 
trusion detection sensor that detects 
different infrared energy (heat) over 
background levels. 

passive sensor: an intrusion detection 
sensor that produces no signal from a 
transmitter but simply detects energy 
emitted in the proximity of the sensor. 
(See active sensor.) 

path: any physical route taken by the 
adversary. 

performance criteria approach: specifi- 
cation of a physical protection system 
in terms of the performance expected 
from it. (See feature criteria approach.) 

performance test: test to confirm the 
ability of an implemented and operat- 
ing system element or total system to 
meet an established requirement. 



performance testing: process to be used 
to determine that the security features 
of a system are implemented as de- 
signed and that they are adequate for 
the proposed environment. Note: This 
process may include functional test- 
ing, penetration testing, or software 
verification. 

perimeter: an isolation zone around a 
protected area or the boundary between 
off-site and on-site. 

PETN: Penta-erythritol Tetra-nitrate. A 
nitrate ester that contains an unstable 
bond and is the explosive chemical in 
common plastic explosives such as 
detasheet and detcord. 

physical protection: measures imple- 
mented for the protection of assets 
or facilities against theft, sabotage, or 
other malevolent attacks. 

physical security: (1) the use of people, 
procedures, and equipment (alone or 
in combination) to control access to 
assets or facilities; (2) the measures 
required for the protection of assets or 
facilities from espionage, theft, fraud, 
or sabotage by a malevolent human 
adversary. 

physical security plan: a facility-specific 
document (or group of documents) that 
gives a comprehensive description of 
the measures employed for the physical 
protection of property, information, 
equipment, materials, and other assets 
of interest. 

piezoelectric effect: a property of an 
asymmetric crystal, such as quartz, 
rochelle salt, tourmaline, or various 
synthetics, that delivers a voltage when 
mechanical force is applied to its faces. 

PIN: Personal Identification Number. 

point detector: an intrusion sensor that 
has a relatively small detection region 
usually located close to the sensor. 

portal monitor: any electronic instru- 
ment designed to perform scans of 
items, personnel, and vehicles entering 
or leaving a designated area for the 
purpose of detecting weapons, explo- 
sives, and nuclear material. (See explo- 
sives detector and metal detector.) 
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ported: refers to a cable having closely 
spaced, small holes or gaps in the shield 
that allow RF energy to radiate. 

positive feature: an element of a physical 
protection system that has a pre- 
dictable, effective level of performance. 

positive personnel identity verification: 
examination of a unique physical char- 
acteristic, such as voice, eye pattern, or 
fingerprint, of a person to compare with 
stored data. If the data match, the 
person's identity is verified. 

PPS: Physical Protection System. 

primary event: an event considered to be 
the cause of other events but which 
itself has no developed cause; the first 
step in a logic tree. A primary event 
may be a basic, an undeveloped, or a 
developed event. 

priority: a measure of the importance of 
a particular alarm relative to site 
security. 

protected area: a specifically defined 
area, enclosed by one or more phys- 
ical barriers, to which access is 
controlled. 

protective force: the guard force at a facil- 
ity whose responsibility it is to respond 
first to an adversary attack. 

protocol: the special set of rules for com- 
municating that the end points in a 
telecommunication connection use 
when they send signals back and 
forth. Protocols exist at several levels 
in a telecommunication connection. 
There are protocols between the end 
points in communicating programs 
within the same computer or at dif- 
ferent locations. Both end points must 
recognize and observe the protocol. 
Protocols are often described in an 
industry or international standard. 

psychotic: an insane person who acts in 
an irrational manner. 

PTZ: refers to a pan-tilt-zoom equipped 
camera. 

Q 

quiescent: refers to the state of an active 
intrusion sensor when there is no 
movement in the detection zone. 



R 

raster: the blank gray or white picture 
produced by a monitor when its elec- 
tron guns are just turned on but not 
varied in intensity by an applied video 
signal. 

RDX: hexahydrotrinitrotriazine (cyclo- 
nite). A nitrogen containing com- 
pound that is the primary explosive 
chemical in C-4 plastic explosive. 

real-time: an observation made at the 
time an event is taking place, or a 
phrase describing the operation of a 
computer or a data processing system, 
in which events are represented or 
acted upon as they occur. 

reasonable force: force that is not exces- 
sive and that is appropriate for protect- 
ing oneself or one's property. The use of 
reasonable force will not render a 
person criminally or tortiously liable. 
Also termed legal force. 

rebar: steel reinforcement bar used to 
reinforce heavy concrete walls, floors, 
or other structures. 

repeater: a radio device that retransmits 
received signals for the purpose of 
extending transmission distance or 
overcoming obstacles. 

resolution (horizontal): the number of 
independently resolvable elements in 
three-fourths of the picture width. It is 
most easily and frequently measured 
with the aid of a resolution chart, with 
the resolution units specified in TV 
lines. Horizontal resolution depends 
upon the high-frequency phase and 
amplitude response of the camera, 
transmission system bandwidth, and 
the monitor, as well as the size of the 
scanning beams in the camera image 
tube and monitor. 

resolution (vertical): the number of inde- 
pendently resolvable elements in the 
picture height. Vertical resolution is pri- 
marily fixed by the number of television 
scanning lines per frame, generally con- 
sidered to be about 340 TV lines in a 
525-scan-line system. 

response: the element of a physical pro- 
tection system designed to counteract 



adversary activity and interrupt the 
threat. 

response force: the guards and external 
agencies that respond immediately to 
counter the threat of an adversary. 

response time: the time between the ver- 
ification of an alarm and the interrup- 
tion of an attack. 

retina: a membrane lining the most pos- 
terior part of the inside of the eye. It 
comprises photoreceptors (rods and 
cones) that are sensitive to light and 
nerve cells that transmit to the optic 
nerve the responses of the receptor 
elements. 

RF: Radio Frequency. 

RFI: Radio-Frequency Interference. Un- 
desired radio frequency signals that 
compete with desired signals in ampli- 
fiers, receivers, and instruments. 

RF shield: an object, such as a metal 
building, that will attenuate an RF 
signal. 

risk: measure of the potential damage to 
or loss of an asset based on the proba- 
bility of an undesirable occurrence. 

risk assessment: process of analyzing 
threats to and vulnerability of a facility, 
determining the potential for losses, 
and identifying cost-effective corrective 
measures and residual risk. 

roll: the vertical movement of an image 
on a monitor as the result of a tempo- 
rary loss of vertical sync, frequently 
present in nonsynchronous switching 
systems. 

roll test: rolling through an intrusion 
sensor's expected detection zone to 
determine whether or not it is func- 
tioning properly. 

run test: running through an intrusion 
sensor's expected detection zone to 
determine whether or not it is func- 
tioning properly. 



sabotage: (1) industrial: any deliberate 
act, not involving toxicological releases, 
that could have unacceptable impact to 
programs. (2) toxicological: a deliberate 



act directed against hazardous materials 
stored, produced, or used at facilities 
that could cause a release of a toxic sub- 
stance that may adversely impact the 
health and safety of the public, employ- 
ees, or the environment. 

SAVI: System Analysis of Vulnerability 
to Intrusion. A dynamic analytical com- 
puter model using multiple adversary 
paths. 

scenario: an outline of a sequence of 
events by which an adversary may 
achieve the objective. 

scrambling: processing a radio signal to 
make it unintelligible to a receiver that 
does not have the proper decoder. 

sector: a defined portion of the phy- 
sical protection system that may have 
multiple sensors and dedicated CCTV 
coverage. 

secure: refers to the normal operational 
state of a sensor during which both 
intrusion and tamper alarms are dis- 
played at the operators' consoles. 

security: an integrated system of activi- 
ties, systems, programs, equipment, 
personnel, and policies for the protec- 
tion of classified information or matter, 
sensitive information, critical assets 
and personnel. 

security area: in general, an area that 
requires monitoring of area boundaries 
and controlling of personnel entry. 

security communications network: the 
procedures and hardware used to carry 
communications among members of the 
security force during both normal and 
emergency operations. 

seismic buried-line sensor: a buried-line 
sensor that detects mechanical pres- 
sure, deformation, and vibration trans- 
mitted through the ground burial 
medium to the sensor transducer. 

seismic disturbances: mechanical pres- 
sure, deformation, or vibration trans- 
mitted through the ground. 

seismic-magnetic buried-line sensor: a 
buried-line sensor that is sensitive 
to both seismic and magnetic 
disturbances. 
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self-test: a feature often available on 
sensors that allows them to be tested 
readily to determine whether they are 
functioning properly. 

sensitivity analysis: an examination of 
how a system responds when one or 
more of its elements are changed. 

sensor: a device that responds to a stim- 
ulus associated with an unauthorized 
action, such as an intrusion into a pro- 
tected area or an attempt to smuggle 
contraband through an entry. 

spoof: to defeat a sensor by means of any 
technique that allows a target to pass 
through the detection volume without 
generating an alarm. 

spread-spectrum system: a jam-resistant 
communication system in which the 
transmitted signal is much wider than 
the minimum bandwidth necessary to 
transmit the information signal. 

stand-off attack: an attack on a facility 
without actually entering it, such as 
firing a missile from off-site. 

stealth: an attempt to defeat a physical 
protection system by avoiding or inac- 
tivating its components in order to 
prevent detection. 

stop-action: in recording systems, the 
process of electronically holding the 
picture at one field or frame. 

strategy: the overall method planned by 
the adversary to achieve objectives. 

subsystem: a component or group of com- 
ponents comprising one unit or fulfill- 
ing one function of the physical 
protection system. 

surreptitious: secret or stealthy, espe- 
cially leaving behind no evidence of 
penetration or compromise. 

surveillance: the collection of informa- 
tion through CCTV or direct observa- 
tion in order to detect security events. 
This process depends on a human to 
detect the event or activity without the 
aid of sensors. 

sync: synchronizing. 

sync generator: a composite of three 
basic functional units for use in video 
subsystems: a pulse generator, a timing 



reference, and a comparator/control 

unit to lock the pulse generator to the 

time reference. 
synchronization (sync): in a video 

monitor or image tube, the process 

of maintaining two or more scanning 

processes in phase. 
sync pulse: a pulse transmitted as part of 

the composite video signal to control 

scanning. 



T G : guard response time. 

T R : time available for response; the 
minimum delay along the portion of 
the adversary path remaining after the 
point at which the adversary must be 
detected to allow guard response (T G ); 
T R just exceeds T G . 

tamper alarm: an alarm that is generated 
when access doors to sensor electronics 
or wire connections are opened or when 
the sensor detects a spoofing attempt. 

tamper-indicating circuitry: line supervi- 
sory circuitry on data transmission 
lines and switches used to sense the 
loss of alarm capability. 

tamper-indicating device: a device that 
may be used on items such as contain- 
ers and doors, which, because of its 
uniqueness in design or structure, 
reveals violations of containment inte- 
grity. These devices on doors (as well 
as fences) are more generally called 
security seals. 

tampering: interference in an intentional, 
unauthorized, or undeclared manner to 
physically defeat a security device. 

tamper protection: (See tamper-indicat- 
ing circuitry.) 

tamper-safmg: the act of applying a 
tamper-indicating device. 

target: the objective of an attack. Also 
called an asset. 

target identification: the process of eval- 
uating a facility to determine locations 
where an adversary might accomplish 
objectives. 

TDM: Time-Division Multiplexing. An 
alarm communication system; signals 
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from more than one sensor are trans- 
mitted over a common wire at different 
predetermined times in a time-interval 
scanning cycle. 

terrain-following sensor: an intrusion 
detection sensor that detects equally 
well on flat and irregular terrain. 
(See line-of-sight sensor.) 

test pattern: a chart used to evaluate 
many of the operating parameters of a 
video camera or system. It has various 
line patterns for measuring resolution, 
circles to evaluate geometric distortion, 
and a 10-step gray scale for evaluat- 
ing gray scale response, among other 
features. 

theft: the unauthorized removal of valu- 
able material or information from a 
facility. 

threat: an individual or a group with the 
motivation and capability for theft or 
sabotage of assets, or other malevolent 
acts that would result in loss of assets 
at a facility. 

threat analysis: a process in which infor- 
mation about a threat or potential threat 
is subjected to systematic and thorough 
examination in order to identify signif- 
icant facts and derive conclusions 
therefrom. 

threat assessment: a judgment, based on 
available intelligence, law enforcement, 
and open source information, of the 
actual or potential threat to one or more 
facilities or programs. 

throughput: the rate at which people pass 
through an entry-control portal, a con- 
traband detector, or an SNM (special 
nuclear material) detector. 

time-division multiplexing (timescram- 
bling): a common analog voice- 
scrambling technique; dividing a voice 
signal into small time segments whose 
transmission is delayed for a brief in- 
terval during which a subgroup of the 
segments is rearranged. 

timely detection: the cumulative proba- 
bility of detecting an adversary while 
there is still time for the response force 
to interrupt the adversary. 



transducer: a device that receives waves 
(electrical, acoustical, or mechanical) 
from one medium or transmission 
system and supplies waves (not nec- 
essarily of the same type as input) to 
another medium or transmission 
system. 

transient: a sudden, high-voltage spike 
in an electrical system, caused by arcing 
or lightning; any short pulse attribut- 
able to external causes. 

triaxial cable: a double-shielded 
coaxial cable; a center conductor is 
surrounded by two concentric, inde- 
pendently shielded conductors. 

turnkey: built, supplied, and/or installed 
complete and ready to operate. 

TV: television. 

twinaxial cable: a coaxial cable having 
two center conductors. 

twisted pair: a two-conductor transmis- 
sion line seldom used in video systems 
due to limited distance and bandwidth 
capabilities. 

two-man rule: a procedure requiring that 
at least two knowledgeable persons be 
present to verify that actions taken are 
authorized. 

Type I error: in a positive personnel iden- 
tity verification system, rejection of a 
claimed identity when the identity 
claimed is true. Also called false reject. 

Type II error: in a positive personnel 
identity verification system, acceptance 
of a claimed identity when the claimed 
identity is false. Also called false 
accept. 

U 

unauthorized person: person not autho- 
rized to have access to specific infor- 
mation, material, or areas. 

unknown alarms: alarms for which the 
cause is unidentified. 

upgrade: modification of an existing 
physical protection system to improve 
the system's effectiveness. 

UPS: Uninterruptible Power Supply. A 
battery-powered, alternating current 
source that will maintain power to vital 
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equipment even if all site power is 
lost. 

V 

vault: a structure or room whose door, 
walls, floor, and roof are designed to 
make penetration difficult. 

vault-type room: a facility-approved room 
having a combination-locked door(s) 
and protection provided by a facility- 
approved intrusion alarm system acti- 
vated by any penetration of walls, floor, 
ceiling, or openings, or by motion 
within the room. 

video distribution amplifier: a wideband 
video amplifier used for the transmis- 
sion of a single video signal to multiple 
video components from individual 
impedance-matched outputs. 

visible sensor: an intrusion detection 
sensor that is in plain view of an 
intruder, such as a sensor attached to a 
fence or mounted on its own support. 
(See covert sensor.) 

vital area: an area of a plant or facil- 
ity containing equipment or material 
whose failure, destruction, or release 
could directly or indirectly endanger 
facility operations or personnel. 

voice privacy: refers to the encoding of 
transmissions for the prevention of 
eavesdropping on sensitive radio traffic 
or of receiving deceptive messages. (See 
also clear voice.) 

volume protection: monitoring an entire 
area, such as a room, to detect entry 
from any entrance portal, walls, floor or 
ceiling. 

volumetric sensor: an intrusion detection 
sensor that exhibits detection in a 
volume of space. (See line sensor.) 

vulnerability: an exploitable capability 
or an exploitable security weakness or 
deficiency at a facility of security inter- 
est. Exploitable capabilities or weak- 
nesses are those inherent in the design 
(or layout) of the facility and its protec- 



tion, or those existing because of the 
failure to meet (or maintain) pres- 
cribed security standards when evalu- 
ated against requirements for defined 
threats. If the vulnerability were 
detected and exploited by an adver- 
sary, then it would reasonably be 
expected to result in a successful attack 
causing damage to the facility. 

vulnerability analysis: a method of iden- 
tifying the weak points of a facility. 

vulnerability assessment: a systematic 
evaluation process in which qualitative 
and/or quantitative techniques are ap- 
plied to detect vulnerabilities and to ar- 
rive at an effectiveness level for a 
security system to protect specific 
targets from specific adversaries and 
their acts. 

W 

walk test: walking through an intrusion 
detection sensor's expected detection 
zone to determine whether or not it 
is functioning properly. 

waveform monitor: an oscilloscope used 
specifically for measurement and analy- 
sis of video signals. 



X-band: the frequency band extending 
from 5,200 to 11,000MHz. 



zone: a specific volume of space. (See 
assessment zone, clear zone, detection 
zone, isolation zone, perimeter.) 

zone: a space that surrounds (but may not 
be occupied by) one or more targets and 
in which the functions of the physical 
protection system are to be accom- 
plished. For example, if a facility 
is surrounded by a double fence, the 
fences and the space between them 
form a zone. 

zoom lens: lens with a variable focal 
length. 
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The Design and Evaluation of Physical 
Protection Systems guides the reader through 
a description of the overall process of security 
system design and integration. This book is 
arranged in three major parts: 1) determining 
the objectives, 2) designing the system, and 3) 
evaluating the system. 

Designed for both security students and pro- 
fessionals out in the field, The Design and 
Evaluation of Physical Protection Systems is 
full of diverse examples, chapter summaries, 
and references for additional information as 
well as questions for the student. A unique 
feature of the book is a sample model for sys- 
tem performance analysis included in the 
appendices and available for download at 
www.bh.com/companions. 

• Offers process-oriented security that is "user 
friendly" to both the novice and the sea- 
soned professional 

■ Approaches security in a practical, system- 
atic manner based on proven and tested 
measures 

■ Describes simple process for estimating sys- 
tem performance against threat 
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